Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

In a HTTP scheme where the HMAC-SHA256 signature is sent as part of the Authoriz

ID: 657046 • Letter: I

Question

In a HTTP scheme where the HMAC-SHA256 signature is sent as part of the Authorization header, and the message input contains:

- The request method
- URL
- Post data
- Nonce
- Date HTTP header

How unique does the nonce need to be, or, for how long should the nonce be disallowed to be re-used?

For example, if I enforce uniqueness of (Date, nonce) rather than enforcing absolute uniqueness of the nonce on its own, have I introduced any weakness to replay or other kinds of attack?

When another second of time elapses, the signature changes (due to the Date header), so if I re-use a nonce from 1 second ago, it should not be a problem, right?

Explanation / Answer

You need to take in consideration the allowable time window (to compensate for Clock drift). If you allow Date's with a time window of plus/minus 10 minutes (total: 20 minutes) you need to use nonces that are unique on the whole time window, and you also need to store spent nonces from that time period.

To avoid a race situation where a nonce is being deleted from the "spent" list Before the Date: header of the used nonce has became invalid, it would be recommended to store the spent nonces from the last 40 minutes, and also use nonces that are unique for 40 minutes.

Then you have a practically a watertight solution.

In other Words, if you would allow a nonce to be reused after 1 second, a attacker can just resend the old request with the old date header, since if you allow a time window - which you must because you cannot ensure the client Clock is synced with the server, then you would accept a request with a spent nonce.

If you reallywant a good nonce, use H(Time, Nonce) where H is a decent hash function. Then you can use "non-unique" nonces as long as you dont generate 2 equal nonces the same second. Then you get unique hashes to use as nonces.

Related Questions

In a C++ code base I\'ve been working on, they have a bunch of instances of the
Question #654304
In a C++ program - Your state is in a process of creating a weekly lottery. Once
Question #3763661
In a C++ program design and implement a class dayType that implements the day of
Question #645240
In a C++ program design and implement a class dayType that implements the day of
Question #3857985
In a C++ program that doesn\'t contain legacy C code, is there a guideline regar
Question #654242
In a C++ program you need to store the identification numbers of 10 employees (a
Question #3582704
In a C++ program you need to store the identification numbers of 10 employees (a
Question #3843235
In a C++ program you need to store the identification numbers of 10 employees (a
Question #3843466
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
In a Gallup poll, adult survey subjects were asked “ Do you have a gun in your h
Next
In a HTTP session, client A transmits 1460 byte TCP segment to HTTP Server B wit

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.