In order to make sure that the result cannot be mimicked, it’s essential to use a function that has adequate mathematical properties; for example, making sure that it is impossible to retrieve the secret with the computation result is mandatory. Secure hash functions, such as SHA-256, support these requirements. For the challenge-response method, the device proves it knows a secret without disclosing it. Even if an attacker were to intercept the communication, the attacker still wouldn't access the shared secret.
Authentication based on asymmetric cryptography relies on two keys: a private and a public key. The private key is known only by the device to be authenticated, while the public key can be disclosed to any entity willing to authenticate the device. As in the previously discussed method, the host sends a challenge to the device. The device computes a signature based on the challenge and the private key and sends it back to the host – see figure 2.
But here, the host will use the public key to verify the signature. It’s also critical for the function used to compute the signature to have certain mathematic properties. The most commonly used functions for the asymmetric schemes are RSA and ECDSA. Here also, the device proves it has knowledge of a secret, the private key, without disclosing it.