Clarification about nonce
Answered
Hello,
I'm experimentig with python and I'm able to create a digest auth key by using the API/getNonce api.
From my understanding (https://en.wikipedia.org/wiki/Cryptographic_nonce) I should be able to use this key only once but this is not the case.
Am I understanding something wrong ?
Best regards
Cisco
-
Official comment
Hello francesco cervellera,
First of all although I am a Wikipedia fan, when certain operation is under discussion it is always better to refer to some RFC that describes the standard underneath it. In this case it's RFC2069, An Extension to HTTP : Digest Access Authentication
More specifically, we need to take a closer look at the sections:
2.1.1 that describes the authentication response header:
The contents of the nonce are implementation dependent. The quality of the implementation depends on a good choice.3.2 that describes the replay attacks and the possible ways of protections:
The server created "nonce" value is implementation dependent, but if it contains a digest of the client IP, a time-stamp, and a private server key (as recommended above) then a replay attack is not simple. An attacker must convince the server that the request is coming from a false IP address and must cause the server to deliver the document to an IP address different from the address to which it believes it is sending the document. An attack can only succeed in the period before the time-stamp expires. Digesting the client IP and time- stamp in the nonce permits an implementation which does not maintain state between transactions.
This document indeed contains words that some servers could generate one-time nonces but it is never stated it must be this way.
The nonces generated by Nx Server expire 5 minutes after that. BTW, this information is available in the API documentation:
Let me know if you have any further questions.
-
Thanks for the clarification.
0
Please sign in to leave a comment.
Comments
2 comments