Often, electronic communication on a computer network involves one computing system (hereinafter called a “challenger”) issuing an interactive challenge to another computing system (hereinafter called a “challengee”) over a computer network. The challengee may then acquire some information originating from a user, and then use that information to generate a challenge response. Such an interactive challenge is often done for purposes of authentication, but may be done for other purposes as well.
As an example, the challengee may issue a security token request that includes a username and password to the challenger. However, before issuing the security token, the challenger may require an accurate response to a challenge. For instance, the challenger might ask the challengee to provide a Personal Identification Number (PIN) for its user, might require a user to enter an additional one-time use password, and/or might require a user to enter text as it appears in an image provided by the challenger. Upon responding successfully to the challenge, the challenger may then provide the requested security token to the challengee.
Existing challenge mechanisms often utilize specialized protocols to issue challenges and receive responses to challenges. Some of these specialized protocols prescribe both the types of challenges that are used and the protocols used to implement the challenges. Others of these specialized protocols allow the protocols used to implement challenges to be varied. However, while the algorithms used to implement challenges can be varied, the types of challenges typically cannot. This makes it difficult to extend the typical challenge protocols to support additional types of interactive challenges and support additional algorithms for implementing challenges.
For example, the security token services (STS) framework defined by WS-Trust allows for a simple request and response for security tokens as well as an extension mechanism to enable exchanges for negotiation and challenges. The WS-Trust specification defines a “signature challenge” construct as a specific type of exchange that makes use of the above extension mechanism for general exchanges.