Abstract
A nonce is a cryptographic input value which must never repeat within a given context. Nonces are important for the security of many cryptographic building blocks, such as stream ciphers, block cipher modes of operation, and message authentication codes. Nonetheless, the correct generation of nonces is rarely discussed in the cryptographic literature.
In this paper, we collect a number of nonce generators and describe their cryptographic properties. In particular, we derive upper bounds on the nonce collision probabilities of nonces that involve a random component, and lower bounds on the resulting nonce lengths.
We also discuss an important practical vulnerability of nonce-based systems, namely the nonce reset problem. While ensuring that nonces never repeat is trivial in theory, practical systems can suffer from accidental or even malicious resets which can wipe out the nonce generators current state. After describing this problem, we compare the resistance of the nonce generators described to nonce resets by again giving formal bounds on collision probabilities and nonce lengths.
The main purpose of this paper is to provide a help for system designers who have to choose a suitable nonce generator for their application. Thus, we conclude by giving recommendations indicating the most suitable nonce generators for certain applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Wiktionary: Nonce (2009), http://en.wiktionary.org/wiki/nonce
Wegmann, M., Carter, J.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22, 265–279 (1981)
List, C.M.: Consequences of nonce reuse (2007), http://www1.ietf.org/mail-archive/web/cfrg/
Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–359. Springer, Heidelberg (2004)
Borisov, N., Goldberg, I., Wagner, D.: Intercepting mobile communications: The insecurity of 802.11. In: Proc. 7th International Conference on Mobile Computing and Networking, pp. 180–189. ACM, New York (2001)
Kohno, T.: Attacking and repairing the WinZip encryption scheme. In: Proc. 11th ACM Conference on Computer and Communications Security (CCS 2004), pp. 72–81. ACM Press, New York (2004)
Sabin, T.: Vulnerability in Windows NT’s SYSKEY encryption. BindView Security Advisory (December 16, 1999), http://marc.info/?l=bugtraq&m=94537756429898&w=2
Wu, H.: The misuse of RC4 in Microsoft Word and Excel (2005), http://eprint.iacr.org/2005/007
Barak, B., Halevi, S.: A model and architecture for pseudo-random generation with applications to /dev/random. In: Proc. 12th ACM Conference on Computer and Communications Security (CCS 2005), pp. 203–212. ACM Press, New York (2005)
Gong, L.: A security risk of depending on synchronized clocks. ACM Operating Systems Review 26, 49–53 (1992)
Neuman, B., Stubblebine, S.: A note on the use of timestamps as nonces. Operating Systems Review 27, 10–14 (1993)
Shoup, V.: A Computational Introduction to Number Theory and Algebra. Cambridge University Press, Cambridge (2005)
Bernstein, D.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005), http://cr.yp.to/mac.html#papers
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zenner, E. (2009). Nonce Generators and the Nonce Reset Problem. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds) Information Security. ISC 2009. Lecture Notes in Computer Science, vol 5735. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04474-8_33
Download citation
DOI: https://doi.org/10.1007/978-3-642-04474-8_33
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04473-1
Online ISBN: 978-3-642-04474-8
eBook Packages: Computer ScienceComputer Science (R0)