An authentication method used to prove the identity of a user logging into the network. When a user logs on, the network access server (NAS), wireless access point or authentication server creates a "challenge," which is typically a random number sent to the client machine. The client software uses its password or a secret key to encrypt the challenge via an encryption algorithm or a one-way hash function and sends the result back to the network (the "response"). The authentication system also performs the same cryptographic process on the challenge and compares its result to the response from the client. If they match, the authentication system has verified that the user has the correct password.|
Challenge/response systems may also work with an authentication token, which is a smart card or credit-card sized card that users have in their possession. When they log in, they respond to the challenge by either inserting their smart card into a reader or typing in the password displayed on the card's readout. See authentication token, authentication, access control and CHAP.
In this example, either the network access server or the authentication server generates a random number and sends it to the client as the challenge. The client uses a hash algorithm to combine the challenge and password and send the result back. The originating component performs the same hash step and compares it to the client's results. If they match, the system knows the client has the correct password.