Collaborate Disseminate
Websockets don’t support sending auth tokens during websocket handshake as part of HTTP headers, rather only via query parameters. This has a security risk of leaking these tokens in server logs. However, if we create these JWT tokens with… Continue reading Is it secure to send JWT tokens in url query parameters if we use nonce to make it a one time token?
I am attempting to perform real time decryption of TLS 1.3 packets (TLS_AES_256_GCM_SHA384). I have retrieved the mastersecrets for the specific flow by using uprobes on OpenSSL, and matched the mastersecrets to the flow using ClientRandom… Continue reading Real Time Decryption of TLS 1.3 packets Asked today Modified today [closed]
In general, I understand that nonces are used to prevent replay attacks, but in the case of a TLS 1.3 handshake, the Client/Server Hello message contains their public keys. Considering that keys are randomized every time (as in the case of… Continue reading What purpose do nonces serve in the TLS 1.3 handshake?
The ACME protocol defines the use of a replay nonce to prevent replay attacks.
I understand what replay attacks are and why it’s important to prevent them in certain scenarios. But I can’t think of a scenario where a replay attack would be… Continue reading Possible scenario for replay attack in acme protocol
I’m building an high velocity auth system, used both for user to machine and machine to machine authentication and authorization. To prevent a replay attack I’m adding a nonce to each request, but in order to avoid a roundtrip the nonce is… Continue reading Adding salt to TOTP
I’m in the process of evaluating adding WebAuthn/Passkey support to a website, and I’m not really sure how to properly manage challenge nonces.
My understanding is that the main reason for using challenge nonces is to prevent replay attack… Continue reading How to properly manage WebAuthn challenges?
Choosing a proper nonce is a vital part of every symmetric-key encrypted communication, and it is mandatory that every encrypted message has a unique nonce. It can be shown that using a nonce twice with the same key has such catastrophic e… Continue reading Why do nonce misuse resistant schemes mac the plaintext? [migrated]
Question
The question is in the title, but here are more details:
I want my server to have an upload endpoint (single POST for small data or multipart for larger data) where clients can upload data.
However:
Clients can upload only encryp… Continue reading Verifying that certain data is encrypted (or at least indistinguishable from random data)
In RFC7616 for Digest Authentication, the nonce count (nc) is described as
The nc value is the hexadecimal count of the number of requests (including the current request) that the client has sent with the nonce value in this request.
and… Continue reading Usage of Nonce Count in digest authentication
In digest authentication we use something that is called cnonce.
According to RFC7616:
This parameter MUST be used by all implementations. The cnonce value is an opaque quoted ASCII-only string value provided by the client and used by bot… Continue reading What is cnonce in Digest Authentication