Challenge-Response: Cryptographic Authentication in EUDI Wallets

Challenge-response authentication is a cryptographic protocol in which one party proves its identity or key possession to another without revealing the secret itself. The verifier sends a random, unpredictable challenge (typically a nonce), and the prover must compute a correct cryptographic response -- usually a digital signature or HMAC over the challenge. This mechanism is fundamental to EUDI Wallet credential presentations, ensuring that each authentication is fresh, non-replayable, and tied to the legitimate key holder.

A typical challenge-response exchange follows three steps. First, the verifier generates a random value -- the challenge. This value must be cryptographically random and sufficiently long (typically 128 bits or more) to be unpredictable. Second, the prover receives this challenge and computes a response using a secret it possesses. In public key systems, this means digitally signing the challenge with a private key. In symmetric systems, it might involve computing a keyed hash (HMAC). Third, the verifier checks the response against the expected result. For digital signatures, it verifies the signature using the prover's known public key. If the response is valid, the verifier is convinced the prover holds the corresponding secret.

The critical security property is that each challenge is unique and unpredictable. An attacker who observes one challenge-response exchange gains no advantage in future exchanges because the next challenge will be completely different. This eliminates replay attacks, where an attacker records and re-sends a valid authentication message.

Additional security can be achieved by binding the challenge to session context -- for example, including the verifier's identity, a timestamp, or the specific resource being requested. This prevents an attacker from redirecting a valid response to a different verifier or using it for a different purpose than intended.

The EUDI Wallet uses challenge-response mechanisms in several critical flows:

• •Credential Presentation (OpenID4VP): When a relying party requests a verifiable presentation, it includes a nonce in the request. The EUDI Wallet signs the presentation (containing the requested credentials and the nonce) with its device-bound private key. The verifier checks that the nonce matches and the signature is valid, confirming both credential authenticity and live holder presence.
• •Device Binding Verification: To prove that a credential is bound to a specific device, the wallet must demonstrate control of the device-bound key. The verifier sends a challenge that the wallet signs with the key stored in the device's secure element (TEE or SE). This proves the credential has not been cloned to another device.
• •Proximity Verification (ISO 18013-5): In face-to-face scenarios like presenting a mobile driving license, the mdoc protocol uses challenge-response to prove the device is physically present. The reader device generates a challenge that the wallet signs, preventing remote relay attacks.
• •Wallet Attestation: When a wallet needs to prove it is a certified, unmodified EUDI Wallet implementation, it responds to a challenge from the verifier using its wallet attestation key. This proves the wallet software is genuine and has not been tampered with.

Challenge-response protocols in the EUDI ecosystem defend against several attack vectors:

• •Replay attacks: The unique nonce in each session ensures that captured authentication messages cannot be reused. Even if an attacker records an entire credential presentation, it is worthless for future verifications because the nonce will not match.
• •Credential cloning: Because the response requires a signature from a device-bound private key that cannot be extracted from the secure element, a stolen credential file alone is useless without the original device.
• •Man-in-the-middle attacks: When the challenge includes session-binding information (such as the verifier's identity or a session ID), an intermediary cannot redirect the response to a different party.

These properties make challenge-response indispensable for high-assurance identity systems like the EUDI Wallet, where the consequences of authentication failures could include identity fraud, unauthorized border crossings, or financial crimes.