Cryptographic nonce
Encyclopedia
In security engineering
, nonce is an arbitrary number used only once to sign a cryptographic communication. It is similar in spirit to a nonce word
, hence the name. It is often a random
or pseudo-random number issued in an authentication protocol
to ensure that old communications cannot be reused in replay attack
s. For instance, nonces are used in HTTP digest access authentication
to calculate an MD5
digest of the password
. The nonces are different each time the 401 authentication challenge response code is presented, thus making replay attacks virtually impossible. It is basically a cryptographic cookie
.
A nonce may be used to ensure security for a stream cipher
. Where the same key is used for more than one message then a different nonce is used to ensure that the keystream
is different for different messages encrypted with that key. Often the message number is used.
Some also refer to initialization vector
s as nonces for the above reasons. To ensure that a nonce is used only once, it should be time-variant (including a suitably fine-grained timestamp
in its value), or generated with enough random bits to ensure a probabilistically insignificant chance of repeating a previously generated value. Some authors define pseudorandomness (or unpredictability) as a requirement for a nonce.
Security engineering
Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
, nonce is an arbitrary number used only once to sign a cryptographic communication. It is similar in spirit to a nonce word
Nonce word
A nonce word is a word used only "for the nonce"—to meet a need that is not expected to recur. Quark, for example, was formerly a nonce word in English, appearing only in James Joyce's Finnegans Wake. Murray Gell-Mann then adopted it to name a new class of subatomic particle...
, hence the name. It is often a random
Randomness
Randomness has somewhat differing meanings as used in various fields. It also has common meanings which are connected to the notion of predictability of events....
or pseudo-random number issued in an authentication protocol
Authentication protocol
An authentication protocol is a type of cryptographic protocol with the purpose of authenticating entities wishing to communicate securely.There are many different authentication protocols such as:* AKA* CAVE-based_authentication...
to ensure that old communications cannot be reused in replay attack
Replay attack
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet...
s. For instance, nonces are used in HTTP digest access authentication
Digest access authentication
Digest access authentication is one of the agreed upon methods a web server can use to negotiate credentials with a user's web browser. It uses encryption to send the password over the network which is safer than the Basic access authentication that sends plaintext.Technically digest...
to calculate an MD5
MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
digest of the password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
. The nonces are different each time the 401 authentication challenge response code is presented, thus making replay attacks virtually impossible. It is basically a cryptographic cookie
Magic cookie
A magic cookie or just cookie for short, is a token or short packet of data passed between communicating programs, where the data is typically not meaningful to the recipient program. The contents are opaque and not usually interpreted until the recipient passes the cookie data back to the sender...
.
A nonce may be used to ensure security for a stream cipher
Stream cipher
In cryptography, a stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream . In a stream cipher the plaintext digits are encrypted one at a time, and the transformation of successive digits varies during the encryption...
. Where the same key is used for more than one message then a different nonce is used to ensure that the keystream
Keystream
In cryptography, a keystream is a stream of random or pseudorandom characters that are combined with a plaintext message to produce an encrypted message ....
is different for different messages encrypted with that key. Often the message number is used.
Some also refer to initialization vector
Initialization vector
In cryptography, an initialization vector is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom...
s as nonces for the above reasons. To ensure that a nonce is used only once, it should be time-variant (including a suitably fine-grained timestamp
Timestamp
A timestamp is a sequence of characters, denoting the date or time at which a certain event occurred. A timestamp is the time at which an event is recorded by a computer, not the time of the event itself...
in its value), or generated with enough random bits to ensure a probabilistically insignificant chance of repeating a previously generated value. Some authors define pseudorandomness (or unpredictability) as a requirement for a nonce.
See also
- Initialization vectorInitialization vectorIn cryptography, an initialization vector is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom...
- Salt (cryptography)Salt (cryptography)In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function...
- Key strengtheningKey strengtheningIn cryptography, key stretching refers to techniques used to make a possibly weak key, typically a password or passphrase, more secure against a brute force attack by increasing the time it takes to test each possible key. Passwords or passphrases created by humans are often short or predictable...
- Nonce wordNonce wordA nonce word is a word used only "for the nonce"—to meet a need that is not expected to recur. Quark, for example, was formerly a nonce word in English, appearing only in James Joyce's Finnegans Wake. Murray Gell-Mann then adopted it to name a new class of subatomic particle...
- Cross-site request forgeryCross-site request forgeryCross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
External links
- Sam Ruby Blogging on Nonce with an implementation
- RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication
- RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces
- RFC 4418 - UMAC: Message Authentication Code using Universal Hashing