Nonce's are used to make a request unique. In an authentication scheme without a nonce, a malicious client could generate a request ONCE and replay it MANY times, even if the computation is expensive. If the authentication schema requires the client to perform expensive computation for every single request, as the request is made unique by using a nonce, the replay attack is folded, as its speed just went from O(1) to O(N).
The reason to have a client nonce is to prevent malicious clients do replay attacks.
The reason to have a server nonce is to prevent a Man-in-the-Middle attacks, in case an attacker captures a valid server response, and tries to replay it to a client.
http://en.wikipedia.org/wiki/Cryptographic_nonce ?has a nice explanation and diagram for how to use a nonce.
http://en.wikipedia.org/wiki/Digest_access_authentication ?has a nice example of how nonces are used in the real world.
更多文章、技術交流、商務合作、聯系博主
微信掃碼或搜索:z360901061
微信掃一掃加我為好友
QQ號聯系: 360901061
您的支持是博主寫作最大的動力,如果您喜歡我的文章,感覺我的文章對您有幫助,請用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點擊下面給點支持吧,站長非常感激您!手機微信長按不能支付解決辦法:請將微信支付二維碼保存到相冊,切換到微信,然后點擊微信右上角掃一掃功能,選擇支付二維碼完成支付。
【本文對您有幫助就好】元
