Consider app using say, HMAC-SHA2, with securely pre-shared symmetric key. Are the nonces of exchanged messages considered secret as well?
Or in other words, does its easy predictability or even outright knowledge(plaintext) of nonce to attacker compromise/reduce HMAC security?
Some sources suggest using cryptographically secure PRNG for nonce generation as if the PRNG algorithm/seed was part of preshared secret which confuses me.
Asked
Active
Viewed 638 times
0
![](../../users/profiles/167955.webp)
wondra
- 103
- 3
-
2nonces are not secret, but hmac doesn't use nonces, so it's a trick question. – dandavis Feb 02 '18 at 10:09
-
@dandavis hmm, true. Wondering how should I rephrase the question - when using nonce for messages it is in fact more of a protocol(?) secured by HMAC rather than HMAC itself, isnt it? – wondra Feb 02 '18 at 10:17
1 Answers
2
NIST (National Institute of Standards in Technology) defines an nonce as a time varying, non-repeating value to help prevent 'replay attacks.
The nonce
doesn't necessarily have to be secret but should be a random sourced non-repeating value used in block ciphers for symmetric and asymmetric encryption.
Please reference NIST SP 800 series of documentation for additions details of best practices, implementation & reasons for use.
![](../../users/profiles/43100.webp)
jas-
- 931
- 5
- 9
-
There seem to be conflicting definitions, e.g. NIST SP 800-63-2: ...`a nonce is not necessarily unpredictable.` while NIST SP 800-44 Version 2: ...`Because the sender randomly generated the nonce, this defeats playback attacks because the replayer cannot know in advance the nonce the sender will generate.` Which would imply that predictable nonce, like timestamp, does not prevent replay attacks(why use such?). Could you clarify this a bit? – wondra Feb 02 '18 at 13:38
-
While not necessarily unpredictable an nonce should never be used more than once. The nonce can be best described as the equivalent of a salt when hashing passwords. While not always a value from a PRNG, it should never be used more than once for each key. Some uses of an nonce don't necessarily require the security a truly random sequence of bytes offers for keys – jas- Feb 02 '18 at 19:02