Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

nonce usage in authentication

In digest based authentication, nonce is generated by server. However in OAuth based authentication, nonce is generated by client. I want to know if anyone knows the reason for the difference?

like image 488
user496949 Avatar asked Feb 19 '11 13:02

user496949


People also ask

What is Auth nonce?

auth_nonce : includes an app generated alphanumeric nonce which can be used to provide replay protection.

What is the purpose of generating nonce?

The nonce is used to give 'originality' to a given message so that if the company receives any other orders from the same person with the same nonce, it will discard those as invalid orders. A nonce may be used to ensure security for a stream cipher.

What is nonce in HTTP request?

The purpose of a nonce is to make each request unique so that an attacker can't replay a request in a different context. It doesn't matter if the attacker gets the nonce: in fact the point is that because the data includes a nonce, it won't be useful to the attacker.

What is nonce in API?

Introduction. A nonce is a number that uniquely identifies each call to the REST API private endpoints.


Video Answer


2 Answers

Nonces are used to make a request unique. In an authentication scheme without a nonce, a malicious client could generate a request ONCE and replay it MANY times, even if the computation is expensive. If the authentication schema requires the client to perform expensive computation for every single request, as the request is made unique by using a nonce, the replay attack is folded, as its speed just went from O(1) to O(N).

The reason to have a client nonce is to prevent malicious clients do replay attacks.
The reason to have a server nonce is to prevent a Man-in-the-Middle attacks, in case an attacker captures a valid server response, and tries to replay it to a client.

http://en.wikipedia.org/wiki/Cryptographic_nonce has a nice explanation and diagram for how to use a nonce.

http://en.wikipedia.org/wiki/Digest_access_authentication has a nice example of how nonces are used in the real world.

like image 161
Marcin Avatar answered Oct 05 '22 23:10

Marcin


Firstly, sometimes clients do provide a nonce in digest auth, but mainly it relies on the server (see RFC2617)

Secondly, because if you think of the authentication procedure in terms of a handshake, then with Oauth when you already have a token you've been through half of the handshake, you've already spoken with the server, so your next move is to contact the server with your service request. This needs to be protected by a nonce too, so you provide it.

Or, the converse. I already have the token, so why would I contact the server to get a nonce so that I could then contact the server again with my service request? I might make a 1000 service requests, by producing my own nonces it cuts down on 2000 bits of network traffic that were unneeded.

like image 32
ian Avatar answered Oct 05 '22 23:10

ian