0

Consider app using say, HMAC-SHA2, with securely pre-shared symmetric key. Are the nonces of exchanged messages considered secret as well?
Or in other words, does its easy predictability or even outright knowledge(plaintext) of nonce to attacker compromise/reduce HMAC security? Some sources suggest using cryptographically secure PRNG for nonce generation as if the PRNG algorithm/seed was part of preshared secret which confuses me.

wondra
  • 103
  • 3
  • 2
    nonces are not secret, but hmac doesn't use nonces, so it's a trick question. – dandavis Feb 02 '18 at 10:09
  • @dandavis hmm, true. Wondering how should I rephrase the question - when using nonce for messages it is in fact more of a protocol(?) secured by HMAC rather than HMAC itself, isnt it? – wondra Feb 02 '18 at 10:17

1 Answers1

2

NIST (National Institute of Standards in Technology) defines an nonce as a time varying, non-repeating value to help prevent 'replay attacks.

The nonce doesn't necessarily have to be secret but should be a random sourced non-repeating value used in block ciphers for symmetric and asymmetric encryption.

Please reference NIST SP 800 series of documentation for additions details of best practices, implementation & reasons for use.

jas-
  • 931
  • 5
  • 9
  • There seem to be conflicting definitions, e.g. NIST SP 800-63-2: ...`a nonce is not necessarily unpredictable.` while NIST SP 800-44 Version 2: ...`Because the sender randomly generated the nonce, this defeats playback attacks because the replayer cannot know in advance the nonce the sender will generate.` Which would imply that predictable nonce, like timestamp, does not prevent replay attacks(why use such?). Could you clarify this a bit? – wondra Feb 02 '18 at 13:38
  • While not necessarily unpredictable an nonce should never be used more than once. The nonce can be best described as the equivalent of a salt when hashing passwords. While not always a value from a PRNG, it should never be used more than once for each key. Some uses of an nonce don't necessarily require the security a truly random sequence of bytes offers for keys – jas- Feb 02 '18 at 19:02