Menu
This question here is about creating an authentication scheme. The accepted answer given by AviD states
Your use of a cryptographic nonce is also important, that many tend to skip over - e.g. "lets just use a GUID"...
Which leads me to my question. Why wouldn't you just use a GUID?
511
A nonce in cryptography is a number used to protect private communications by preventing replay attacks. Nonces are random or pseudo-random numbers that authentication protocols attach to communications.
Nonce in cryptography means “number once,” and this arbitrary number is only used one time in a cryptographic communication. A nonce often includes a timestamp, which means it is only valid during a specific amount of time, to help ensure that it is only used once.
The nonce should have sufficient length, aim for at least 128 bits of entropy (32 hex characters, or about 24 base64 characters). Script tags that have a nonce attribute must not have any untrusted / unescaped variables within them.
Nonce is a randomly generated, cryptographic token used to prevent the theft of user name tokens used with SOAP messages. Nonce is used with the basic authentication (BasicAuth) method.
What Is a Nonce? "Nonce" is a portmanteau of "number used only once." It is a four-byte number added to a hashed—or encrypted—block in a blockchain that, when rehashed, meets the difficulty level restrictions. The nonce is the number that blockchain miners are solving for.
Whenever you randomly generate a random number intended to be used in cryptography, you should be really sure that the number is really random. GUIDs tend to be generated based on values that can be discovered, guessed or inferred, such as current system time or a network card MAC address, and thus the nonce could potentially be guessed.
96
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
