Cryptography Reference
In-Depth Information
There is a chance that the nonce could have been generated before
. This is
certainly true, there is a 'chance', but if we assume that the nonce has been
generated using a secure mechanism and that the nonce is allowed to be
sufficiently large then it is a very small chance. This is the same issue that
arises for any cryptographic primitive. If Alice and Bob share a symmetric
key that was randomly generated then there is a 'chance' that an adversary
could generate the same key and be able to decrypt ciphertexts that they
exchange. What we can guarantee is that by generating the nonce using a
secure mechanism, the chance of the nonce having been used before is so small
that we might as well forget about it.
Since a nonce was used, Bob is sure that the message from Alice is fresh
. This
is not true, he certainly cannot. As far as Bob is concerned, this nonce is just a
number. It could be a copy of a message that was sent a few days before. Since
Bob was not looking over Alice's shoulder when she generated the nonce, he
gains no freshness assurance by seeing it. If Bob has freshness requirements of
his own then he should also generate a nonce and request that Alice include it
in a later message to him.
Nonce-based mechanisms do not suffer from any of the problems that we
identified for the previous freshness mechanisms, except for the familiar need
to set a window of acceptance beyond which a nonce will no longer be regarded as
fresh. After all, in our simple example we stated that Bob sent the nonce 'straight
back'. How much delay between sending and receiving the nonce should Alice
regard as being 'straight back'? Nonce-basedmechanisms do, however, come with
two costs:
1. Any entity that requires freshness needs to have access to a suitable generator,
which is not the case for every application.
2. Freshness requires a minimum of two message exchanges, since it is only
obtained when one entity receives a message back from another entity to
whom they earlier sent a nonce. In contrast, clock-based mechanisms and
sequence numbers can be used to provide freshness directly in one message
exchange.
8.2.4
Comparison of freshness mechanisms
Choosing an appropriate freshness mechanisms is application dependent. The
appropriate mechanism depends on which of the various problems can best be
overcome in the environment in which they will be deployed. Table 8.2 contains a
simplified summary of the main differences between the three types of freshness
mechanism that we have discussed.
Note that there are other differences that might be influential in selecting a
suitable freshness mechanism for an application. For example, sequence numbers
and nonces are not, by definition, bound to a notion of clock-based time. Hence, if
using thesemechanisms in an application that requires a notion of 'timeliness' (for
