All geek questions in one place

One-way authentication, what does the timestamp and nonce mean?

http://technet.microsoft.com/en-us/library/cc767123.aspx

in this article, the client encrypts the timestamp, failure ID, and destination address. I can not understand what a timestamp is and what is a rebound?

+4
source share
1 answer

Both timestamp and nonce are ways to prevent a person from getting into a medium attack on mechansim authentication. They work a little differently, but the intention is the same - to provide a piece of data that is cryptographically integrated into the authentication mechanism, which will complicate or prevent an attacker from attacking the system by replaying the message. A typical mechanism is digital signature authentication. Anyway, here are the steps:

1 - make a message, attach a timestamp or a nonce message

2 - hash and message, and timestamp, or nonce

3 - encrypt the hash with the private key (i.e. sign it)

4 - send signature and message and nonce / timestamp

(this is the moment when the attacker receives it.

5 - the recipient receives the message.

6 - the recipient checks whether the signature matches the data sent (repeat step 2, decrypt the signature with the public key, compare with the hash)

7 - the receiver checks the timestamp or nonce:

a - mark the time stamp - the value of the time stamp must be within the acceptable range of the current time. Ideally, the entire system is served by a timestamp server that accurately determines what the "current time" is. If not, the system risks false negatives when the recipient incorrectly decides that the timestamp of the message is too old (or has not occurred yet) to fulfill the current time mismatch.

b - check nonce - verify that the received nonce was never received from this sender. Since the hash is unique to the contents of the message, this message MUST come from an authorized sender, because this message does not play.

8 - the recipient performs any further authorization and access control checks.

Important things:

  • either a timestamp or nonce MUST be part of a signature
  • The timestamp is good if you are concerned about repeat playback over a given time, but it requires good synchronization between servers, and it will always take some spectrum of errors, since many messages can be sent in the current time spectrum - for example, if the timestamp drops to the second then several messages (including retries) can be sent this second.
  • nonce requires a certain level of persistence, since it only works if uniqueness is guaranteed and verified. In addition, if a person in the middle can interrupt the sender, receive nonce and leave the sender from sending it, the person in the middle attack can still be successful.
+13
source

Source: https://habr.com/ru/post/1336364/

More articles:


All Articles