Comments on: A modified Nonce implementation http://bhavin.directi.com/a-modified-nonce-implementation/ Tue, 7 Sep 2010 09:45:29 +0000 http://wordpress.org/?v=2.9.1 hourly 1 By: fivefigers shoe http://bhavin.directi.com/a-modified-nonce-implementation/comment-page-1/#comment-16367 fivefigers shoe Thu, 15 Jul 2010 08:21:13 +0000 http://bhavin.directi.com/?p=49#comment-16367 Although vibram flow walking over gravel in my Vibrams was a little vibram sprint uncomfortable, the rest of the hike was extremely fun and vibram fivefingers kso enjoyable. I am wanting to work out in my vibram 5fingers every day!Most of the vibram shoes sale, the fact that it is indeed more harm than good. The problem is that these shoes in order to “protect” in such a way that they should not be his leg. After the over-built five finger shoes muscles, tendons and ligaments of the lower limb atrophy conclusions. This is because your five fingers shoe do the work, your legs and feet should do.http://www.fivefingeronline.com/ Although vibram flow walking over gravel in my Vibrams was a little vibram sprint uncomfortable, the rest of the hike was extremely fun and vibram fivefingers kso enjoyable. I am wanting to work out in my vibram 5fingers every day!Most of the vibram shoes sale, the fact that it is indeed more harm than good. The problem is that these shoes in order to “protect” in such a way that they should not be his leg. After the over-built five finger shoes muscles, tendons and ligaments of the lower limb atrophy conclusions. This is because your five fingers shoe do the work, your legs and feet should do.http://www.fivefingeronline.com/

]]> By: qerer http://bhavin.directi.com/a-modified-nonce-implementation/comment-page-1/#comment-15317 qerer Sun, 06 Dec 2009 13:55:12 +0000 http://bhavin.directi.com/?p=49#comment-15317 I received my<a href="http://www.mytobling.com/ugg-ultra-short-boots -c-42.html"><strong> ugg ultra short</strong></a> today, very impressed. They are like sort of a massive slipper, soft, easy to wear and light. GREAT <a href="http://www.mytobling.com/ugg-ultra-tall-boots-c- 43.html"><strong>ugg ultra tall</strong></a> THANK YOU QUICK SERVICE. I received my ugg ultra short today, very

impressed. They are like sort of a massive slipper, soft, easy to

wear and light.
GREAT ugg ultra tall THANK YOU QUICK SERVICE.

]]> By: Bhavin Turakhia http://bhavin.directi.com/a-modified-nonce-implementation/comment-page-1/#comment-231 Bhavin Turakhia Wed, 10 Sep 2008 20:20:14 +0000 http://bhavin.directi.com/?p=49#comment-231 @shreyas: actually this is something I am aware of. Most servers will not store a plaintext password. In this case it is assumed that the client will hash the plaintext password and then rehash the resulting hash with the nonce. In most cases one-way hashes on the server do not need salt. They are only meant to ensure someone looking at the hash cannot reverse engineer the password @shreyas: actually this is something I am aware of. Most servers will not store a plaintext password. In this case it is assumed that the client will hash the plaintext password and then rehash the resulting hash with the nonce. In most cases one-way hashes on the server do not need salt. They are only meant to ensure someone looking at the hash cannot reverse engineer the password

]]> By: Shreyas Doshi http://bhavin.directi.com/a-modified-nonce-implementation/comment-page-1/#comment-212 Shreyas Doshi Sun, 07 Sep 2008 19:13:12 +0000 http://bhavin.directi.com/?p=49#comment-212 Hey Bhavin - one assumption in this scheme is that the server has knowledge of the actual password. Its fine to make that assumption, but it does mean that this scheme cannot be used in a vast majority of cases. Most (good) authentication systems don't store the plaintext password on the server, but rather, a one-way hash of it (possibly with some salt). Hey Bhavin – one assumption in this scheme is that the server has knowledge of the actual password. Its fine to make that assumption, but it does mean that this scheme cannot be used in a vast majority of cases. Most (good) authentication systems don’t store the plaintext password on the server, but rather, a one-way hash of it (possibly with some salt).

]]> By: Bhavin Turakhia http://bhavin.directi.com/a-modified-nonce-implementation/comment-page-1/#comment-199 Bhavin Turakhia Mon, 01 Sep 2008 07:42:30 +0000 http://bhavin.directi.com/?p=49#comment-199 @cbas - this is a modified nonce implementation so let me explain / answer your queries. firstly the timestamp is NOT only for minimizing collisions - it can be useful for many other scenarios described below. one reason for expiry timestamps is to not have to store the nonce on the server. this reduces code complexity and enables clustering easily. for eg if you have a multiple server web cluster giving out these nonce's you will need to have a central store for the nonce incase the subsequent auth request goes to another server in the cluster (which btw is also the reason why memcached is the perfect store for nonce's incase you do choose to go with the server store method as opposed to the timestamp method) additionally, there are more reasons for maintaining expiry time - which is preventing replay calls if the client call is lost. for eg, lets say a client sends a nonce request. the client's subsequent request is logged by a middle-man. for some reason the client call never reaches the server. now the server continues to store the nonce. subsequently the man-in-the-middle can send in this call a few minutes later with modified params. to avoid this - the server maintains an expiry - which means that the nonce can only be used within a time window. this once again makes memcached an excellent choice for the nonce store since memcached has a content-expiry field that can be set on any content and it will itself take care of the expiry lastly offcourse even if there is no man-in-the-middle, we do not want the server caching thousands of nonce's forever if any rogue or broken clients request nonce's but never make the subsequent auth call @cbas – this is a modified nonce implementation so let me explain / answer your queries.

firstly the timestamp is NOT only for minimizing collisions – it can be useful for many other scenarios described below.

one reason for expiry timestamps is to not have to store the nonce on the server. this reduces code complexity and enables clustering easily. for eg if you have a multiple server web cluster giving out these nonce’s you will need to have a central store for the nonce incase the subsequent auth request goes to another server in the cluster (which btw is also the reason why memcached is the perfect store for nonce’s incase you do choose to go with the server store method as opposed to the timestamp method)

additionally, there are more reasons for maintaining expiry time – which is preventing replay calls if the client call is lost. for eg, lets say a client sends a nonce request. the client’s subsequent request is logged by a middle-man. for some reason the client call never reaches the server. now the server continues to store the nonce. subsequently the man-in-the-middle can send in this call a few minutes later with modified params. to avoid this – the server maintains an expiry – which means that the nonce can only be used within a time window. this once again makes memcached an excellent choice for the nonce store since memcached has a content-expiry field that can be set on any content and it will itself take care of the expiry

lastly offcourse even if there is no man-in-the-middle, we do not want the server caching thousands of nonce’s forever if any rogue or broken clients request nonce’s but never make the subsequent auth call

]]> By: cbas http://bhavin.directi.com/a-modified-nonce-implementation/comment-page-1/#comment-198 cbas Sun, 31 Aug 2008 19:36:52 +0000 http://bhavin.directi.com/?p=49#comment-198 More information on this topic: http://www.faqs.org/rfcs/rfc2831.html http://technet.microsoft.com/en-us/library/cc780170.aspx More information on this topic:
http://www.faqs.org/rfcs/rfc2831.html
http://technet.microsoft.com/en-us/library/cc780170.aspx

]]> By: cbas http://bhavin.directi.com/a-modified-nonce-implementation/comment-page-1/#comment-197 cbas Sun, 31 Aug 2008 19:06:28 +0000 http://bhavin.directi.com/?p=49#comment-197 Why the 10 second expiry? This creates a vulnerable window for replay attacks. I think you're mixing up some concepts. The reason some implementations put a timestamp in the nonce is to minimise collisions of its randomness. The server's challenge (nonce) should be single use, thereby eliminating replay attacks, or at least preventing them to the extent that the challenge is truly random and won't be repeated. When the client requests a challenge, a copy of the challenge is kept in a store on the server. When the client responds the challenge is cleared from the server, preventing any replay attack since consecutive responses would not match any stored challenge. Memcache is not a good idea for storing the nonce since it would create a race condition. Why the 10 second expiry? This creates a vulnerable window for replay attacks.

I think you’re mixing up some concepts. The reason some implementations put a timestamp in the nonce is to minimise collisions of its randomness.

The server’s challenge (nonce) should be single use, thereby eliminating replay attacks, or at least preventing them to the extent that the challenge is truly random and won’t be repeated.

When the client requests a challenge, a copy of the challenge is kept in a store on the server. When the client responds the challenge is cleared from the server, preventing any replay attack since consecutive responses would not match any stored challenge.

Memcache is not a good idea for storing the nonce since it would create a race condition.

]]>