Highest Voted 'nonce' Questions - IT Security Stack Exchange

1

vote

1 answer

AEAD and nonces explained in layman's terms (Symmetric encryption example using Libsodium)

After almost 4 days of work, I've finally gotten Libsodium crypto_aead_xchacha20poly1305_ietf_encrypt to work and produce the same result in JavaScript and PHP. But I'm confused. The PHPDoc describes the parameters as: * @param string $plaintext…

asked Aug 13 '18 at 13:02

Ryan

315
4
13

1

vote

0 answers

Re-using the hash value of password to server by malicious actor

Let's say Alice logged into https://www.facebook.com with her email and password: Email: Alice@gmail.com Password: correctHorseShoeBattery Nonce given by the server: 123139897120148130481041 Salt given by the server:…

authentication passwords hash pbkdf2 nonce

asked May 17 '18 at 10:14

Killney

373
1
3
5

1

vote

1 answer

What's the purpose of the client nonce in SSL?

I'm having difficulty understanding the impact the client nonce has. I understand that the server nonce can prevent the replay attack. Isn't the client nonce an unnecessary part of the replay attack prevention? For example, a client that has the…

encryption tls attacks openssl nonce

asked Dec 28 '17 at 03:47

Danny HyunBum Cho

21
2

1

vote

1 answer

Why is salt+nonce authentication over insecure channel vulnerable to man-in-the-middle attack?

In a network connection over an insecure channel I do the following: Server sends database salt and a nonce to the client; Client computes and sends hash(hash(pwd + salt) + nonce); Server computes hash(db_pwd_hash + nonce) and compares it to the…

hash man-in-the-middle nonce

asked Dec 16 '17 at 21:05

OLEGSHA

13
3

1

vote

1 answer

How to synchronize a nonce between two participants?

I am currently working with a symmetric algorithm which requires a nonce for encryption, and logically for decryption as well. However, I am a bit confused about how I would go and synchronize the nonce on both clients. Let's say my nonce is…

encryption decryption nonce synchronization chacha20

asked Jul 06 '17 at 12:52

Sossenbinder

135
5

1

vote

3 answers

How to only send hashed passwords while not storing passwords in plaintext on the sever?

In a web-based auth system I do the following: Client: Ask the server for a "nonce". Client: Generate a "cnonce". Client: hash(nonce + cnonce + password) Client: Send cnonce and the hash from point 3 to the server. Server: hash(nonce + cnonce +…

authentication passwords hash nonce

asked Jan 06 '17 at 15:21

Gurgy

13
2

1

vote

2 answers

How do I secure a nonce value within app whose source code is public?

I am developing a plugin for Nylas N1 (implements Node). The plugin will be using an implicit flow to authenticate the user, as I understand that is the best way to handle client-side applications. I have a vague understanding of how state (or…

api nonce oauth2

asked Sep 22 '16 at 12:42

TylersSN

111
2

1

vote

1 answer

How does (Py)NaCl work exactly?

At the moment, I deal with PyNaCl (Docs) and have a question about it: My situation is that I want to create a server that interacts with clients. Both the server and the client will have a long-term private key/keypair. So, the situation will be…

cryptography programming nonce nacl

asked Jun 05 '16 at 08:21

Aliquis

769
1
7
12

1

vote

1 answer

Synchronized nonce

If two parties (Say A and B) have a shared secret key (K), is there any way for each party to use the shared secret key to generate nonce(N) sequence which is equal on both sides without having to send the nonce value between them? I am thinking of…

random nonce

asked Apr 07 '16 at 18:51

user1677104

13
2

1

vote

1 answer

Generation of a shared nonce that cannot be pre computed

Is there any system out there currently, which can generate a nonce, which all nodes on a distributed network can agree and calculate the same nonce at the same time, but one an attacker cannot pre compute, for example a week in advance, and would…

cryptography one-time-password timestamp nonce

asked Feb 10 '16 at 15:24

Rich

11
1

1

vote

1 answer

libsodium nonce and captcha validation

so, I want to implement server which validates registration with captcha. First I thought about storing captchas in a server, but then I thought it would be hassle on caching, memory, what if I need to write it into file, etc... But then I had this…

nonce

asked Oct 27 '15 at 18:27

Shazzlow

123
2

0

votes

1 answer

How to use a token to differentiate between a valid logged in user and an attack?

Let us take the example of my already being logged in to, say, LinkedIn. When I access LinkedIn on a new tab, it automatically logs me in (using cookie info). Now, suppose I visit a forum and through an image that is loaded, a CSRF attack is run…

csrf nonce

asked Mar 05 '14 at 18:40

katrix

533
2
13

0

votes

0 answers

Usage of Nonce Count in digest authentication

In RFC7616 for Digest Authentication, the nonce count (nc) is described as The nc value is the hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request. and in the…

authentication nonce

asked Sep 05 '22 at 13:12

GalSuchetzky

113
5

0

votes

0 answers

OpenId Connect and proper usage of nonce

I understand that a nonce is used to prevent replay attacks. I have been going through documentations, specs, posts and blog posts and I am a little confused. Consider the following attack scenario. Mary wants to login to https://photos.com via…

openid nonce oidc

asked May 17 '22 at 22:22

Haunted

43
4

0

votes

0 answers

Using predictable incrementing nonces

I need validation / feedback please with the implementation of a web based client-server application that I am building. I need to make sure that a client's cookies can't be hijacked and therefore I have introduced a nonce. So with each request from…

web-application hash nonce

asked Jul 27 '21 at 04:10

Michael Seifert

13
3

Questions tagged [nonce]