Cryptographic nonce

For other uses of the word, see Nonce.

Typical client-server communication during a nonce-based authentication process including both a server nonce and a client nonce.

In security engineering, nonce is an arbitrary number used only once to sign a cryptographic communication. It is similar in spirit to a nonce word, hence the name. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. For instance, nonces are used in HTTP digest access authentication to calculate an MD5 digest of the password. The nonces are different each time the 401 authentication challenge response code is presented, thus making replay attacks virtually impossible.

A nonce may be used to ensure security for a stream cipher. Where the same key is used for more than one message then a different nonce is used to ensure that the keystream is different for different messages encrypted with that key. Often the message number is used.

Some also refer to initialization vectors as nonces for the above reasons. To ensure that a nonce is used only once, it should be time-variant (including a suitably fine-grained timestamp in its value), or generated with enough random bits to ensure a probabilistically insignificant chance of repeating a previously generated value. Some authors define pseudorandomness (or unpredictability) as a requirement for a nonce.^[1]

Another example is the bitcoin protocol. Each block in the block chain is signed by a nonce (which must be found by trial and error by a "miner") such that the hash of the block, including the nonce and the prior block hash string, has a specified number of leading zeros. This nonce is computationally non-trivial to find and serves to prevent counterfeiting and double spending.

See also

• Initialization vector
• Salt (cryptography)
• Key strengthening
• Nonce word

References

1. Nonce-Based Symmetric Encryption

External links

• Sam Ruby Blogging on Nonce with an implementation
• RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication
• RFC 3540 - Robust Explicit Congestion Notification (ECN) Signaling with Nonces
• RFC 4418 - UMAC: Message Authentication Code using Universal Hashing