0

I need validation / feedback please with the implementation of a web based client-server application that I am building.

I need to make sure that a client's cookies can't be hijacked and therefore I have introduced a nonce.

So with each request from the client a {nonce, Hash(nonce, shared-secret)} is provided to the server.

I would like to not manage a table of previously used nonces on the server. Therefore I've considered using an incrementing only nonce. So that with each request I increment the nonce so that it only grows to a larger number. Thus, the server just needs to keep track of the last used nonce.

My first question is if there is a security problem with this approach? It makes the nonce somewhat predictable (in the extreme case increasing the nonce by 1 on each request)

My second question is which Hash() function would be good to use. I am looking for something quick. I guess MD5 or SHA-256 might be an obvious choice. But is something like a CRC32C a possibility or is it too weak given it's not a hash?

Thank you.

Michael Seifert
  • 13
  • 3
  • You should take a look at JWT. It's a mature technology with lots of available documentation, and ready to use libraries. Don't reinvent something sensitive if security experts already invented it for you. – ThoriumBR Jul 29 '21 at 12:08
  • I've looked JWT over. I have two concerns. JWTs are likely to require too many resources for the scale of system i am designing for. Secondly, maybe i read it wrong, but it appears to me the JWT can still be compromised (albeit for a shorter period of time). With the shared secret nonce above it should hopefully be impossible to hijack the tokens. – Michael Seifert Jul 30 '21 at 07:16

0 Answers0