需要帮助理解 nonce [英] need help understanding nonce

问题描述

我有一个关于 nonce 的问题.我知道这是为了防止重放攻击，但是如果黑客以某种方式获得随机数并在用户之前使用它会发生什么?

I have a question about nonce. I understand it's to prevent replay attacks but what happens if the hacker somehow got the nonce and uses it before the user does?

推荐答案

nonce 的目的是使每个请求都是唯一的，以便攻击者无法在不同的上下文中重放请求.攻击者是否获得 nonce 并不重要:事实上，关键是因为数据包含 nonce，所以它对攻击者没有用处.

The purpose of a nonce is to make each request unique so that an attacker can't replay a request in a different context. It doesn't matter if the attacker gets the nonce: in fact the point is that because the data includes a nonce, it won't be useful to the attacker.

添加:

随机数是由将其引入对话的一方随机生成的.攻击者不能影响随机数的选择是至关重要的，有时攻击者无法预测该选择.在分布式协议的运行中，每一方至少生成一次随机数是非常典型的.

A nonce is randomly generated by the party that introduces it into the conversation. It's crucial that an attacker cannot influence the choice of the nonce, and sometimes that the attacker can't predict that choice. It's quite typical that each party generates at least once nonce in a run of a distributed protocol.

有些协议对随机数保密.会话密钥既可以是随机数(即由一个参与者随机选择)，也可以是秘密(即不直接通过网络传输).事实上，在设计良好的协议中，会话密钥通常派生来自两个随机数，一次来自每一方.但保密并不是随机数的定义属性.

There are protocols where a nonce is kept secret. A session key can be both a nonce (i.e., chosen randomly by one participant) and a secret (i.e. not transmitted directly over the wire). In fact, in a well-designed protocol, a session key is often derived from two nonces, once coming from each party. But being secret is not a defining property of nonces.

让我们将 维基百科页面上的身份验证协议视为一个例子.正常的操作顺序是:

Let's take the authentication protocol on the wikipedia page as an example. The normal sequence of operations is:

1. 客户端发起与服务器的连接.
2. 服务器生成一个随机数 snonce 并将其发送回客户端.
3. 客户端生成另一个随机数 cnonce，并发送它加上其凭据、服务器随机数和客户端随机数的散列 (hash(snonce + cnonce + password)) 到服务器.
4. 服务器验证哈希并接受或拒绝登录.

1. The client initiates a connection to the server.
2. The server generates and sends a nonce snonce back to the client.
3. The client generates another nonce cnonce, and sends it plus a hash of its credentials, the server nonce and the client nonce (hash(snonce + cnonce + password)) to the server.
4. The server validates the hash and accepts or declines the logon.

假设 Mallory(攻击者)可以观察所有流量并发送她自己的消息.如果她在第 2 步之后获得了 nonce，她可以将自己的凭据发送到服务器.这可能有助于她导致拒绝服务，但如果她可以注入流量，她无论如何都可以做到这一点.如果没有客户的凭据，她就无法冒充客户.

Suppose Mallory (an attacker) can observe all traffic and send her own messages. If she gets hold of the nonce after step 2, she can send her own credentials to the server. This might help her cause a denial of service, but she can do that anyway if she can inject traffic. Without the client's credentials, she can't impersonate the client.

假设 Mallory 拿到了客户端在第 3 步中发送的数据包.由于凭证和随机数是散列的，她无法修改数据包，她只能将其作为一个整体再次发送.同样，根据服务器实现协议的方式，她可能会导致拒绝服务，但不会更多.(请注意，此协议要求服务器跟踪哪个 nonce 与哪个客户端相关联，并在步骤 4 中响应该客户端.)步骤 3 中的散列操作使 Mallory 无法获取她不能获取的数据(客户端的密码).

Suppose Mallory gets hold of the packet sent by the client in step 3. Since the credentials and the nonce are hashed, she can't modify the packet, she can only send it again as a whole. Again, depending on how the server implements the protocol, she might be able to cause a denial of service, but no more. (Note that this protocol requires that the server keeps track of which nonce is associated with which client and responds to that client in step 4.) The hashing operation in step 3 is what keeps Mallory from obtaining data she mustn't get (the client's password).

要了解服务器随机数存在的原因，假设它丢失了.然后 Mallory 将能够获得一个包含 hash(cnonce + passoword) 的数据包，她可以稍后在单独的连接中重新发送它，从而模拟客户端.

To see why the server nonce is there, suppose it was missing. Then Mallory would be able to obtain a packet containing hash(cnonce + passoword), and she could resend it later in a separate connection and thereby impersonate the client.

客户端随机数也有类似的用途，尽管这在此处描述的简化协议中并不明显；在一个完整的协议中，令牌"将包含一个包含此随机数的数据散列，它将参与防止 Mallory 冒充服务器.

The client nonce serves a similar purpose, although this is not apparent in the simplified protocol described here; in a full protocol, the "token" would include a hash of data containing this nonce, and it would participate in preventing Mallory from impersonating the server.

客户端随机数还用于防止密码猜测攻击.假设 Mallory 在第 2 步拦截服务器的响应并替换她自己的服务器随机数.如果客户端回复hash(snonce + password)，这将使Mallory 更容易进行大规模密码猜测攻击:她可以预先计算hash(snonce + x)对于许多容易猜到"的密码x，并在许多客户端上运行她的攻击，希望有一个弱密码.在这里，客户端随机数充当散列密码的盐.

The client nonce also serves to prevent a password guessing attack. Suppose Mallory intercepts the server's response at step 2 and substitutes her own server nonce. If the client replied with hash(snonce + password), this would make it easier for Mallory to run a mass password guessing attack: she could precompute hash(snonce + x) for many "easily guessable" passwords x, and run her attack on many clients in the hope that one has a weak password. Here the client nonce acts as a salt for the hashed password.

客户端随机数还有助于保护客户端免受错误实施的服务器的影响.假设服务器没有生成随机数，而是生成一个常量，Mallory 可以通过观察流量轻松找到该常量.那么Mallory就可以被动地执行上一段描述的猜测攻击.因此，即使服务器没有正确实现协议，客户端随机数也会为客户端提供额外的保护.类似地，服务器随机数为服务器提供了一些针对未正确生成随机数的客户端的保护，如果她想运行密码猜测攻击，再次要求 Mallory 主动攻击客户端.这是一种常见情况:即使另一方偏离协议，每一方的随机数也会为该方提供一些保护.

The client nonce also contributes to protect the client from a badly implemented server. Suppose the server did not generate a random nonce but instead a constant that Mallory could easily find by observing traffic. Then Mallory could perform the guessing attack described in the previous paragraph passively. Thus the client nonce gives the client additional protection even if the server doesn't implement the protocol correctly. Similarly, the server nonce gives the server some protection against a client that didn't generate its nonce properly, again by requiring Mallory to attack the client actively if she wants to run a password guessing attack. This is a common scenario: each party's nonce offers that party some protection even if another party deviates from the protocol.

这篇关于需要帮助理解 nonce的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！