1

I am making HTTP calls on the client side and the server expects me to supply a client nonce. It needs to be 4 bytes long. I am planning to use this combination:

base64(parts of the MAC address + random bits generated by RNG)

Given that the protocol is created by experts (thus its security is not to be questioned), is my nonce calculation acceptable in your view ?

Improve this question
4
  • 1
    Use a CSPRNG if you aren't using one: en.wikipedia.org/wiki/… Commented Apr 23, 2014 at 23:53
  • 1
    It depends. What are the consequences of this nonce being spoofed? MACs are software configurable. They're not "burned into the hardware" of a NIC -- a least not for the last decade or more. You can change the MAC of a NIC as easily as opening a dialog and typing what you want it to be. So, if it's seriously bad if this thing is spoofed, then you shouldn't delude yourself into thinking a MAC is somehow secure by virtue of being theoretically globally unique (it's not even close). Commented Apr 24, 2014 at 9:54
  • If you are using the MAC Address then the RNG isn't very random. You do understand this right? If this semi-random noise is not used for security then it should be fine. Commented May 5, 2014 at 10:51
  • Random 32 bit numbers collide pretty often. If you want uniqueness, use at least 120 bits. Commented Jul 4, 2014 at 13:13

1 Answer 1

Reset to default
1

From a cryptographic protocol perspective what is usually important about a nonce (number used once) is its one-timeness. Having it generated with a (P)RNG is rather a matter of convenience. If a cryptographic protocol has specific entropy requirements on a nonce or assumes it to be otherwise cryptographically secure in some way - that would be typically known, communicated or stated upfront, because that isn't a standard expectation.

I am making HTTP calls on the client side and the server expects me to supply a client nonce

This is a typical scenario for the prevention of a replay attack - relying on the one-timeness of certain parts of the client input.

I am planning to use this combination: base64(parts of the MAC address + random bits generated by RNG)

When you rely on parts of the MAC address as an input to a linear transformation, you are setting yourself for an increased probability of the nonce repeating, increasing the chance of a successful replay attack, or alternatively you increase the chance of an adversary guessing your next nonce in advance, making her job easier in a sense.

Notwithstanding, in an expert chosen cryptographic protocol (as assumed in the question) it will be more common for both parties to choose a nonce, mitigating inadequate choice of a nonce by only one party. With a server nonce and a client nonce, establishing a communication frequently looks like this,

  • server -> client: [snonce, challenge]
  • client ->server: [cnonce, f(cnonce, snonce, challenge)]

and when you don't chose cnonce adequately, or don't have a client nonce at all, an adversary can observe f(snonce, challenge) responses, where all the inputs are chosen by it, when it masquerades as a server. This can at times deteriorate to a chosen plaintext attack.

I suggest that you simplify the nonce to be along the lines of,

cnonce = base64(random bits generated by RNG)

where you RNG has sufficient entropy. And if you need repeatability for test purposes, eg if you run your protocol client side tests in a farm on different boxes you can:

seed(RNG, parts of the MAC address)
cnonce = base64(random bits generated by RNG)

That way your tests on every box will be amenable for debugging.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.