Why time-based nonce should be avoided?

Asked 7/3, 2017 at 8:23 Answered 26/3, 2018 at 1:28

In challenge-response mechanism (and other systems), it advised not to use time-based nonce.

Why it should be avoided?

Lucknow answered 7/3, 2017 at 8:23 Comment(1)

It would have been better to post this on either Cryptography or Information Security. – Twist 7/3, 2017 at 19:15

(Disclaimer: I have no degree in crypto, everything I wrote is just a layman's opinion.)

Using time-based nonces is discouraged because they are likely to incidentally collide and easy to be implemented in the wrong way.

Nonces (“numbers used only once”) are not the same thing as secret keys or initialization vectors. The ciphers that use them are usually designed bearing in mind that:

exposing nonces to the attacker doesn't harm security as long as the secret key is not compromised;
nonces don't have to be random at all, all they have to be is unique for a given secret key.

So, it's perfectly okay to select zero as the starting nonce and increment it before sending each successive message. Nonce predictability is not an issue at all.

The sole reason why time-based nonces are discouraged is the probable backward clock adjustments. If your system NTP service rewinds your clock two seconds backward, then you are likely to send two encrypted messages with the same nonce within a short period of time. If you can guarantee that no clock rewinds will ever happen, then go ahead.

Another point against time-based nonces is that the clock resolution may be not enough to provide each message with a unique number.

UPD:

Using counter-based or time-based nonces is safe in terms of encryption strength. However, they may weaken your security system by providing an attacker with additional information, namely: how many messages have the system already sent, that's the average message rate, that is the number of clients it serves simultaneously, and so on. The attacker may be able to use this information to their advantage. That's called a side-channel attack.

See also:

https://crypto.stackexchange.com/questions/37903
https://crypto.stackexchange.com/questions/53153
https://download.libsodium.org/doc/secret-key_cryptography/encrypted-messages.html, section “Nonce-misuse resistance”

Heptane answered 26/3, 2018 at 1:28 Comment(0)

a time or counter based nonce could lead to a scenario where an attacker can prepare in advance ... that alone usually won't break a system, abut it is one step into the wrong direction... unpredictable nonces usually don't hurt...

Sunbathe answered 7/3, 2017 at 12:37 Comment(4)

Thanks. Wikipedia: "It is important not to use time-based nonces, as these can weaken servers in different time zones and servers with inaccurate clocks" What does it mean? – Lucknow 8/3, 2017 at 5:23

that highly depends on the underlying protocol ... but if an attacker can learn about a nonce that will be used in a future communication, that usually is not a good thing – Sunbathe 8/3, 2017 at 12:14

What about "time zone"? Why dose time zone weak the protocol? – Lucknow 8/3, 2017 at 13:13

if your nonce is for example just the local time, for example as a unix timestamp 1488979879, and you have another server in a time zone with an offset of +0100 compared to your local time, that very same nonce might be used in one hour from the time on, when it was used by the first server... and of course that is very deterministic ... for example if you have an ECDSA signature ... and your random component while sigining is such a nonce, then you could possibly calculate the private key from those 2 signatures – Sunbathe 8/3, 2017 at 13:33

Recommended topics

Hot tags