身份验证中的nonce用法 [英] nonce usage in authentication

问题描述

在基于摘要的身份验证中，nonce由服务器生成。但是，在基于OAuth的身份验证中，nonce由客户端生成。我想知道是否有人知道差异的原因？

In digest based authentication, nonce is generated by server. However in OAuth based authentication, nonce is generated by client. I want to know if anyone knows the reason for the difference?

推荐答案

Nonce用于使请求唯一。在没有随机数的认证方案中，恶意客户端可以生成请求ONCE并重播多次，即使计算成本很高。如果身份验证模式要求客户端为每个请求执行昂贵的计算，则通过使用nonce使请求变得唯一，折叠攻击将被折叠，因为其速度从O（1）变为O（N）。

Nonces are used to make a request unique. In an authentication scheme without a nonce, a malicious client could generate a request ONCE and replay it MANY times, even if the computation is expensive. If the authentication schema requires the client to perform expensive computation for every single request, as the request is made unique by using a nonce, the replay attack is folded, as its speed just went from O(1) to O(N).

拥有客户端nonce的原因是为了防止恶意客户端重放攻击。

拥有服务器nonce的原因是为了防止man中间人攻击，以防攻击者捕获有效的服务器响应，并尝试将其重播给客户端。

The reason to have a client nonce is to prevent malicious clients do replay attacks.
The reason to have a server nonce is to prevent a Man-in-the-Middle attacks, in case an attacker captures a valid server response, and tries to replay it to a client.

http://en.wikipedia.org/wiki/Cryptographic_nonce 有一个很好的解释和关于如何使用随机数的图表。

http://en.wikipedia.org/wiki/Cryptographic_nonce has a nice explanation and diagram for how to use a nonce.

http://en.wikipedia.org/wiki/Digest_access_authentication 有一个很好的例子nonces在现实世界中使用。

http://en.wikipedia.org/wiki/Digest_access_authentication has a nice example of how nonces are used in the real world.

这篇关于身份验证中的nonce用法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！