IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [nonce]

a random number that is only used once. It is generated at the beginning of a communication by one communication partner and has to be sent back by the other one in order to prevent replay attacks.

85 questions
2
votes
1 answer

WPA/WPA2 Handshake -- A question on the computation of the MIC

During the WPA/WPA2 4-way handshake, the first two steps are as follows. (1) The AP sends an ANonce to the client, (2) The client computes its own Nonce (SNonce), computes the Preshared Transient Key (PTK) and sends the SNonce to the AP along with a…
Minaj
  • 1,536
  • 2
  • 14
  • 23
2
votes
1 answer

Replay attack example for validating nonce?

I am trying to validate a JWT token received from Windows Azure. I am following the documentation here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-tokens/#validating-tokens When you request a token Azure makes you…
User52016
  • 135
  • 1
  • 5
1
vote
3 answers

Three Message Authentication Protocol

I have a protocol where "A" initiates communication with "B". "B" then sends a challenge to check if "A" is really "A". "B" does not remember sending the challenge so "A" has to respond by sending the challenge back along with encrypted challenge…
Rebratorius097
  • 19
  • 2
1
vote
1 answer

how to test for csrf if the web application is not using tokens and there are no users defined for that application?

I am testing an application that doesn't use anti-csrf tokens for its requests. There are no users defined for this application as well. Well, in that case, how to carry out testing for csrf in this particular application?
user3601346
  • 41
  • 1
  • 1
  • 3
1
vote
1 answer

Login from a desktop application to a web application

I have a desktop application and a web application. The user is loged in on the desktop application. With a click on a button or something the browser should open and the user should be logged in. Now I'm a little confused how to implement this in a…
morpheus05
  • 111
  • 3
1
vote
3 answers

Secure Custom Registration Links

I'm working on a website that allows a current user to invite another individual to be friends by typing in the non-user's email address. The non-user would then receive a custom registration url by email which would, when used, automatically…
Nathan Arthur
  • 113
  • 5
1
vote
2 answers

Is it safe to use Diffie-Hellman public keys as nonces to protect against replay attacks?

I have an interesting case regarding protection against replay attacks. Under the assumption that Alice and Bob have used Diffie-Hellman key exchange to establish a secure temporary session, would it be safe for them to use the public portion of…
BeagleEagle
  • 194
  • 5
1
vote
1 answer

What is cnonce in Digest Authentication

In digest authentication we use something that is called cnonce. According to RFC7616: This parameter MUST be used by all implementations. The cnonce value is an opaque quoted ASCII-only string value provided by the client and used by both client…
GalSuchetzky
  • 113
  • 5
1
vote
0 answers

Openid nonce replay attack in auth code flow

Looking at this question Openid connect nonce replay attack and the answer by @benbotto. I understand the replay attack in implicit flow but unable to understand it for auth code flow. Let's say an attacker intercepts the authentication response.…
user267581
  • 11
  • 1
1
vote
1 answer

Can I use part of PBKDF2 output as an IV (nonce)?

SHA-256 generates a 32-byte hash, Is it a safe practice to use the first 16 as an iv (nonce) and the second 16 as a key ? What other things I should consider when using PBKDF2 in a scenario like this ?
Mohamed Waleed
  • 1,169
  • 1
  • 5
  • 13
1
vote
0 answers

Web authentication, replay, nonce and KEK

I am trying to figure out how to build a secure, playback-proof, web authentication scheme and at the same time be able to use a KEK at the server. After a lot of reading it seems that a reasonable way to validate the password between the server and…
Michael Seifert
  • 13
  • 3
1
vote
1 answer

Is nonce useless when user input is reflected within an inline script?

I stumbled upon a web app which is accepting user input and putting it into a variable within script tag. The script tag does have a nonce attribute. As am working on bypassing the XSS filter, I had this thought that this practice of reflecting…
Rahul
  • 373
  • 4
  • 13
1
vote
0 answers

Does using both a counter and a random nonce make sense for the purpose of reducing the likelihood of replay attacks?

I am aware that using a counter or a random value are both acceptable ways of generating nonces, depending on the circumstances. The tradeoff with using a counter is the necessity to keep state and sometimes this can be a complex problem on its…
elemetrics
  • 146
  • 4
1
vote
1 answer

How to identify the sender of a message in asymmetric encryption?

I am working on a chat application, and I am trying to secure the communication by using asymmetric encryption. I am able to encrypt a message with the receiver's public key and decrypt a message with the receiver's private key. However, how can a…
Bab
1
vote
0 answers

Bloom filter to prevent replay attacks in signed HTTP requests

I'm thinking about an authentication sheme of a REST API in a setting where the only thing the server stores about a client, is their public key (the asymmetric encryption scheme should not matter). So I've come up with a scheme where the…
Rafael Korbas
  • 111
  • 4
1 2 3
4
5 6