nonce usage in authentication

后端 未结 2 1964
伪装坚强ぢ
伪装坚强ぢ 2021-02-04 05:38

In digest based authentication, nonce is generated by server. However in OAuth based authentication, nonce is generated by client. I want to know if anyone knows the reason for

2条回答
  •  时光说笑
    2021-02-04 05:56

    Nonces are used to make a request unique. In an authentication scheme without a nonce, a malicious client could generate a request ONCE and replay it MANY times, even if the computation is expensive. If the authentication schema requires the client to perform expensive computation for every single request, as the request is made unique by using a nonce, the replay attack is folded, as its speed just went from O(1) to O(N).

    The reason to have a client nonce is to prevent malicious clients do replay attacks.
    The reason to have a server nonce is to prevent a Man-in-the-Middle attacks, in case an attacker captures a valid server response, and tries to replay it to a client.

    http://en.wikipedia.org/wiki/Cryptographic_nonce has a nice explanation and diagram for how to use a nonce.

    http://en.wikipedia.org/wiki/Digest_access_authentication has a nice example of how nonces are used in the real world.

提交回复
热议问题