Click here to Skip to main content
15,882,893 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:

An offline software that does not make use of the internet knows the user's logon_ID, the system account name, and the software license string. If the user miss-enters the password three times, the software locks him out and he is presented with a request string of 16 hexadecimal characters as xxxx-xxxx-xxxx-xxxx. The user contacts the host system administrator with this xxxx-xxxx-xxxx-xxxx challenge string.

At the host, using the logon-id, the administrator searches for the user information record, which contains the account-name, and the software license. Administrator using the logon-id record, pastes the user's 16 character challenge string into one field on the form. If the pasted string is in error, an error message pops up for the administrator.

If the challenge string is accepted, a response string is generated in the format xxxx-xxxx-xxxx-xxxx. This response is sent to the user via email or spoken to him.

The user pastes the received string into a receive confirmation field. The received string could fail an acceptability check because of a typing error. If the response string from the administrator is validated (what is expected), the software unlocks and asks the user to enter a new password and its confirmation. In this exchange the administrator does not know the user's new password or even the old password.

Each try for a new password by the user results in a new challenge string, different from the previous one. User and host administrator systems may be in different time-zones.

Anyone up to the challenge to solve this off-line password renewal challenge?
Updated 7-Mar-12 9:33am
Code-o-mat 7-Mar-12 14:42pm    
So you want someone to implement this for you?
lsatenstein 7-Mar-12 15:17pm    
I have figured out how to do it. In the actual implementation, the user has 20 minutes to receive the unlock string. If the response takes more than 20 minutes, it times out and the user must start over, with the new system generated challenge string. What I want to know is if there is more than one way to solve this problem.

The challenge is interesting as a problem to solve. The context is based on a secure -no network access environment.
lsatenstein 7-Mar-12 15:25pm    
I have not coded the solution. But I think that the challenge is good enough for a junior programmer to do so. I thought about this problem for some time before I think I found the solution.
wizardzz 7-Mar-12 15:04pm    
Anyone up to the challenge to solve offline password renewal?

It is important to know that the software in question does not have access to the internet. That is why a spoken or emailed communications are used.
Share this answer
My first attempt would be the following: Compute the cryptographic checksum of the logon-id, account name, software license string, and a 12-bit random salt value. That sum forms the 64-bit challenge key.

On the host side, the validity of the challenge key is checked by trying all 4096 salt values and forming the same cryptographic sum from the login-id, etc. fields from the host database. If one of the tries fits, we accept the challenge as genuine.

The response key is calculated as cryptographic sum of a constant initialization vector, the fitting salt, logon-id, account name, software license, and a random 12-bit response salt value.

The application tries all 4096 response salt values and tries to build the same cryptographic sum (it has to know the constant initialization vector). If any of the calculated sums is equal to the received response key, it accepts the response key and lets the user register a new password.

This method can be refined by encypting the challenge and response keys. Either symmetrically, in which case the password must be embedded in the application. Or with a public-key method, in which case the public key of the host side and the private key of the application side have to be embedded in the application. By embedded I mean: stored in way that makes it possible to reconstruct the key at runtime from multiple fragments that are spread out over the code of the application - so that the key itself does nowhere appear in the binary of the application.
Share this answer

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900