-1

The program I am writing requires that the user gets challenged for a response password from an admin before it will execute code, and is dynamic (Not the same challenge). The challenged information needs to be short and something a casual user can read to someone else over the phone.

I have been doing research, but most of the information out there is for more complex high security approaches which is not needed in this instance, as we are not protecting nuclear information or anything. Other things I have found have been very simple provide x and then give answer of z which is calculated by x + y = z but that is far too simple.

Solution I am trying to avoid: Providing an encrypted key that is extremely hard for people to verbally communicate to another person to get a response code.

Are there any solutions already out there that provide this type of challenge or will I be stuck with long strings of random characters?

Update:

The admin will have no information on the user information. I am just seeking a simplistic algorithm that isn't a simple math equation if one exists. The challenge for the user is auto generated via an algorithm that the admin can use to provide the response value. It can be alpha or numeric but it must be small and simple.

abatishchev
  • 98,240
  • 88
  • 296
  • 433
Jesse
  • 434
  • 2
  • 6
  • 16
  • How about scrambled words or sentences? – kbzombie Feb 05 '15 at 00:22
  • why not a more complicated formula than the one you have above? wouldn't that work? does the admin have access to any information about the user, such as their username or the computer name? you could include those in your encryption code so that the response for challenge '345' will be different from user to user and machine to machine. – Rufus L Feb 05 '15 at 00:26
  • It's not clear what your requirements are: does the password need to be automatically generated? Generated and re-generated on the fly, per request? How much human interaction is involved? Are you allowed to persist the passwords and/or challenges in a database? – Nate Barbettini Feb 05 '15 at 00:32
  • My post has been updated. Just looking for something very simplistic, nothing to do with databases or anything. – Jesse Feb 05 '15 at 00:36

1 Answers1

1

Assuming you have some information you want to generate "password" on you can combine all pieces of information, hash it with salt (i.e. SHA256) and get as many bytes as you find useful - like 2-3 bytes to produce short number. This way you can easily re-compute the same value based on data provided to verify data.

var codeByte = ComputeByteArraySha256(
      DateTime.Today + AdminName + UserName + SecretSalt)[13];
var codeText = codeByte.ToString();

Depending on actual security requirements several bytes of hash may be enough.

Mixing in some additional information (like latest version of data in a DB) may give you ability to expire such tokens/have one-use tokens.

Providing such code over well known way to communicate to the user (like per-registered e-mail/phone) is widely used approach to validate user's identity.

Alexei Levenkov
  • 98,904
  • 14
  • 127
  • 179