Cryptography Reference
In-Depth Information
is unrealistic. The most compelling such example is probably mobile phone
networks, where it is impractical to rely on millions of handsets throughout
a network keeping an accurately synchronised notion of clock-based time (see
Section 12.3.4).
8.2.3
Nonce-based mechanisms
One problem that is shared by both clock-based mechanisms and sequence
numbers is the need for some integrated infrastructure. In the former this was
a shared clocking mechanism, in the latter it was a synchronised database of
sequence numbers.
Nonce-based
mechanisms do not have this need. Their only
requirement is the ability to generate
nonces
(literally, 'numbers used only once'),
which are randomly generated numbers for one-off use. Note that the term 'nonce'
is sometimes used, more literally, to mean numbers that are
guaranteed
to be used
only once. We will use it in a slightly more relaxed way to mean numbers that
with high probability
are used only once.
The general principle is that Alice generates a nonce at some stage in a
communication session (protocol). If Alice receives a subsequent message that
contains this nonce then Alice has assurance that the new message is fresh, where
by 'fresh' we mean that the received message must have been created
after
the
nonce was generated.
To see why freshness is provided here, recall that the nonce was generated
randomly for one-off use. As we know from Section 8.1, a good random number
generator should not produce predictable output. Thus it should be impossible
for an adversary to be able to anticipate a nonce in advance. If the same nonce
reappears in a later message then it must be the case that this later message was
created by someone
after
the generation of the nonce. In other words, the later
message is fresh.
We re-emphasise this important point by considering the simplest possible
example. Suppose that Alice generates a nonce and then sends it in the clear to
Bob. Suppose then that Bob sends it straight back. Consider the following three
claims about this simple scenario:
Alice cannot deduce anything from such a simple scenario
. This is not true,
although it is true that she cannot deduce very much. She has just received
a message consisting of a nonce from someone. It could be from anyone.
However, it consists of a nonce that she has just generated. This surely is no
coincidence! What this means is that it is virtually certain that whoever sent the
nonce back to her (and it might not have been Bob) must have seen the nonce
that Alice sent to Bob. In other words, this message that Alice has just received
was almost certainly sent by someone
after
Alice sent the nonce to Bob. In
other words, the message that Alice has just received is not authenticated, but
it is fresh.
