Closed xelaris closed 11 years ago
Hi @xelaris,
great, thanks for your important contribution!
Kind regards, David
a nonce could be used multiple times within specified lifetime
What's the purpose of lifetime if not that?
@nuqqsa as mentioned in #26, the changes above were to prevent a nonce from being reused within a specified lifetime (replay attacks) and I don't see any issues with the PR that got merged here.
Kind regards, David
The lifetime determines the time from the creation of the nonce until it's used. A nonce should be valid for one request only. Otherwise an attacker could be send the same request, without knowing the credentials (replay attack). Take a look at http://en.wikipedia.org/wiki/Cryptographic_nonce .
Oh, I see. It makes sense, thank you for the clarification @xelaris.
Thanks @xelaris, have a great weekend!
Due to an incorrect comparison of the nonce time with the current time, a nonce could be used multiple times within specified lifetime. Thus the implementation was vulnerable to replay attacks.