1

I'm having difficulty understanding the impact the client nonce has. I understand that the server nonce can prevent the replay attack. Isn't the client nonce an unnecessary part of the replay attack prevention? For example, a client that has the intention of initiating a replay attack can just use the same nonce that they were replaying.

In what scenario does the client nonce in SSL prevent a certain type of attack?

Danny HyunBum Cho
  • 21
  • 2
  • Possible duplicate of [What is the use of a client nonce?](https://security.stackexchange.com/questions/3001/what-is-the-use-of-a-client-nonce) – forest Dec 28 '17 at 05:31
  • 1
    @forest: This is not a duplicate of a generic "client nonce" question but asks specifically about TLS. – Steffen Ullrich Dec 28 '17 at 05:45

1 Answers1

3

There is no "client nonce" in SSL/TLS. There are some "used only once" numbers created by the client, like the IV for the symmetric encryption or the "client random" for the TLS handshake. In the following I will assume that you mean client random instead.

Client random is for example used to build the message the server has to sign with the private key belonging to the server certificate as part of the initial server authentication. If client random would be repeated then some attacker might replay a previously captured reply of the server containing the appropriate signature and thus successfully claim to own the private key, i.e. authenticate as the server.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • What would happen if an attacker was able to claim they own the private key of a different server? Wouldn't the attack "fail" after receiving the pre-master cipher from the client that is signed using the public key of the certificate? (the attacker wouldn't be able to understand messages signed by a certificate they don't own) – Danny HyunBum Cho Dec 29 '17 at 06:06
  • @DannyHyunBumCho: you are mixing up phrases and concepts again. There is no "pre-master _cipher_" but only a "pre-master _secret_". And the client does not _sign_ this secret with the servers public key but _encrypts_ the pre-master secret with the servers public key. But this is only done with RSA key exchange and not with today's preferred DH key exchange. But yes, if RSA key exchange would be used, the man in the middle would not be able to decrypt the pre-master secret since he does not have the servers private key. – Steffen Ullrich Dec 29 '17 at 06:19