Challenge-Response Authentication

Challenge-response authentication uses a cryptographic protocol that allows to prove that the user knows the password without revealing the password itself. Using this method, the application first obtains a random challenge from the server. It then computes the response by applying a cryptographic hash function to the server challenge combined with the user's password. Finally, the application sends the response along with the original challenge back to the server. Because of the "one-way" properties of the hash function, it is impossible to recover the password from the response sent by the application.

Upon receiving the response, the server applies the same hash function to the challenge combined with its own copy of the user's password. If the resulting value matches the response sent by the application, this indicates with a very high degree of probability that the user has submitted the correct password.

Note that the Zenfolio user database does not store actual user passwords. Instead, it stores a cryptographic hash of the password combined with a randomly generated salt value. This makes it impossible to recover user passwords if security of the Zenfolio server is compromised. (This also means that if you forget your password, no person at Zenfolio can tell you what your password is. Zenfolio Customer Support can help you to reset your password, but that's all).

Since the server has no access to clear-text passwords, the challenge-response protocol described above is modified to use password hashes instead of the actual passwords. The exact authentication protocol works as follows:

  1. The application invokes the GetChallenge method with the user login name. The method returns an AuthChallenge object that contains a random challenge generated by the server and the password salt that should be used to obtain the hash of the user's password.
  2. The application transforms the plain-text password entered by the user into a series of bytes by applying UTF-8 encoding. The application then appends the password bytes to the salt received from the server and computes the SHA-256 hash of the combined series of bytes. The resulting value is the password hash:
    PasswordHash := SHA-256(PasswordSalt, UTF-8(password))
  3. The application then appends the bytes of the password hash to the challenge bytes obtained from the server and computes the SHA-256 hash of the combined series of bytes. The resulting value is the response:
    Response := SHA-256(Challenge, PasswordHash)
  4. The application invokes the Authenticate method with the original server challenge and response computed in the previous step. If authentication succeeds, Authenticate returns the authentication token to be included with subsequent requests to the Zenfolio API.