Highest Voted 'nonce' Questions - IT Security Stack Exchange

8

votes

1 answer

Prevent cross domain form submission with nonce?

I haven't done much in web security before but am now in need to prevent a form from being submitted from anything but my own domain. I know how to lock this down in an .htaccess file but the referrer isn't very reliable from what I've…

nonce

asked Feb 08 '13 at 10:34

Brigante

203
1
3
6

8

votes

2 answers

Do Client Nonces enhance the security of HTTP Digest Auth?

As far as I understand the answer at https://security.stackexchange.com/a/3024/13447, client nonces are meant to prevent attackers from amortizing the costs of brute-force hash computations by being able to reuse the computations results for…

asked Oct 16 '12 at 07:49

Evgeniy Berezovsky

185
1
6

8

votes

1 answer

Why isn't Amazon using a NONCE for REST Authentication?

When you look at Amazons RESTAuthentication you can see that it doesn't use a nonce: Authorization = "AWS" + " " + AWSAccessKeyId + ":" + Signature; Signature = Base64( HMAC-SHA1( YourSecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) )…

rest hmac nonce

asked Jul 19 '16 at 08:56

laktak

181
5

7

votes

3 answers

chosen plaintext attacks against MD5 and SHA1

According to https://www.rfc-editor.org/rfc/rfc2617#section-4.9, having the server chose a nonce but not having the client chose a nonce opens up Digest Access authentication to chosen plaintext attacks. My question is two fold... Is this a problem…

cryptography authentication nonce hash

asked Jul 11 '11 at 20:17

paynes_bay

181
3

7

votes

1 answer

Encrypting short identifiers?

I am developing a webapp that does not reveal record count, because it hides the primary key. I am looking for a better way to do this. My favorite idea is to encrypt the ID itself with a block cipher, because that would require not additional…

encryption hash nonce

asked Apr 04 '13 at 21:16

700 Software

13,807
3
52
82

7

votes

2 answers

How to store nonce and key when working with libsodium secretbox?

Why am I asking? I am very new to cryptography (so please be patient with me...) and I want to avoid making unnecessary mistakes. I did a lot of research, but - other than with most other programming related questions - I had a hard time finding…

encryption php key-management mysql nonce

asked May 25 '18 at 11:25

wire417

79
1
3

6

votes

3 answers

What is the use of nonces in HTTPS APIs

I have used APIs that require a nonce for every request. If HTTPS requests are not replayable, seen here https://stackoverflow.com/a/2770133/2800469, what is the reason to require nonces for HTTPS APIs? Is it just to ensure that legitimate consumers…

tls api nonce

asked Jul 24 '17 at 17:33

ajb32x

161
1
3

6

votes

3 answers

AES use same Nonce security risk?

If I use AES-GCM and encrypt data with a 128 Bit Key and always use the same Nonce. Is using the same nonce a security risk? Can a hacker guess the Key? Or is the Nonce only to verify that the message was not corrupted? Especially if I…

aes nonce

asked Sep 13 '16 at 20:37

John Smith

215
2
6

5

votes

2 answers

nonce in SSL/TLS handshake

In SSL/TLS handshake, a nonce is always sent by the client to server and vice versa. The nonce basically consists of a random number and unix timestamp. Why do we need the unix timestamp? As the nonce is always a random number, how does this…

tls nonce

asked Jun 04 '14 at 00:18

asit_dhal

169
1
1
6

5

votes

3 answers

optimal way to salt password?

A good way to salt password? I have read a few answers related to salting password. But I started to get confused. I came across few functions people used to generate salt like: mcrypt_create_iv() openssl_random_pseudo_bytes() pseudo random bits…

php salt nonce

asked Sep 06 '12 at 04:36

Loonb

293
1
3
9

5

votes

2 answers

Preventing resubmission and replay attack using client nonce in REST API

I have a REST API backend which has HTTPS (and blocked HTTP) and use JWT as the authentication mechanism. The client side is iOS/Android app. I want to add a layer of safeguard on critical API by using client nonce to prevent (mostly) resubmission…

rest api nonce

asked Aug 03 '16 at 03:02

mingchuno

153
1
5

4

votes

2 answers

how to store and retrieve nonce in practice

As nonce is supposed to be random and used only one time, when receiving a nonce, I need to check it with all past nonce records. That means I need a database to store every nonce I had before. Of course I can reduce the database size by limiting…

storage nonce

asked Aug 13 '15 at 03:25

Sissi

49
1
2

4

votes

2 answers

3rd Party Authentication protocol

I have a hardware device (H), phone (P) and web server (S). I would like P to be able to send commands to H, but only if it is authorized to do so. Permissions are stored on server. Technically I could do this with Kerberos, but that seems overkill.…

authentication webserver decryption nonce

asked May 08 '15 at 19:24

Nimyz

203
2
5

4

votes

1 answer

Is this the correct flow of the KRACK attack?

I am not cryptography expert so please forgive this basic question. I am trying to understand how the flow of the KRACK attack takes place in order to better understand why the encryption protocol itself can be cracked. Lets start from after step 3…

wifi nonce krack

asked Oct 22 '17 at 19:05

ng.newbie

265
2
6

4

votes

3 answers

Verify password hashed with nonce when the password is already hashed on the server?

I found this picture in the Wikipedia nonce article: To avoid sending the password in clear text and prevent replay attacks, the password is hashed together with one random number from the server (nonce) and one from the client (cnonce). I assume…

authentication passwords hash nonce

asked Feb 03 '16 at 16:40

Anders

64,406
24
178
215

Questions tagged [nonce]