0

Alice wants to talk to Bob.

Bob validates Alice is Alice by sending Alice a nonce.

Alice encrypts the nonce with a key.

Ben also knows what this key is.

Ben cannot remember asking Alice for communication due to the fact that he is operating on a stateless server. To get around this Alice send Ben his first communication request by sending the original nonce along with the encrypted nonce.

Would I be right in saying this is insecure because if this message containing the original nonce and the encrypted nonce were to be intercepted by a hacker - the two could be reverse engineering and the key 'K' could be obtained?

thanks

user2863323
  • 345
  • 2
  • 3
  • 13
  • 1
    The word *nonce* comes from Middle English meaning something along the lines of "the one purpose". It even has the word *once* in it! – Jonathon Reinhart Dec 05 '13 at 00:27

1 Answers1

0

I initially wanted to say "don't give the raw string and the encrypted string", but that's pretty much the same as posting the raw data along with the HMAC-hash of the data + secret key at the end. If you're confident that your encryption algorithm is good and you are using a secret key then I don't see how this could be an issue.

However, the entire point of a nonce is to be used ONCE. Alice sends Bob a request with a nonce, and Bob knows that if he gets a request from Alice with that same nonce, ignore it, because it likely came from an attacker and not Alice herself. So you shouldn't be doing this in the first place.

jraede
  • 6,846
  • 5
  • 29
  • 32