-1

i understand nonce is to prevent replay attack. May i know when server first sent nonce to you. Client then has to proceed to +1 the nonce sent by the server back? IS this always the case?

Is nonce made up of timestamp + random as well?

Killney
  • 373
  • 1
  • 3
  • 5

1 Answers1

3

Nonces are used in a variety of use cases. The exact behavior regarding a nonce depends on the exact use case but all use cases share that a nonce should only be used once within a specific context. This might be achieved by using true random numbers but depending on the exact use case it might also be sufficient to use a simple counter or a timestamp to get a unique value within a specific context.

I'm unaware of any use case where the behavior you describe is used, i.e. where the client uses the server_sent_nonce+1. Given that the nonce is unique in the first place such operation should not be needed. But it should not harm either if applied consistently since then server_sent_nonce+1 is actually the new nonce which is unique too.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Timestamp isn't quite a nonce, since you could presumably have two messages at the same time, but they would serve to protect against replay. – nbering Apr 09 '18 at 04:56
  • 2
    @nbering: that's why I've specifically said *"it __might__ also be sufficient...within a specific context"*. If only one nonce is needed per second __in the specific context__ (like as a challenge to check a password in Digest authentication) or if the granularity of the timestamp is good enough a timestamp might be sufficient. If the granularity is not enough then of course it is not sufficient. – Steffen Ullrich Apr 09 '18 at 04:58