- From: Ross Patterson <Ross_Patterson@ns.reston.vmd.sterling.com>
- Date: Wed, 21 Jan 98 18:05:14 EST
- To: http-wg@cuckoo.hpl.hp.com
Paul Leach <paulle@microsoft.com> writes: >> More important for the current discussion... the standard should not >> specify how nonces are constructed. There are very good reasons for >> this: >> >> - Any specified algorithm (no matter how clever) tells an attacker >> how the nonce space is limited, thereby weakening the security. >> >If it's "limited" to a space of, say, 128 bits, that's adequate to cause >brute force attacks to take millions of years. Not a problem. Besides >which, I carefully said that the nonce _contains_ a time stamp, not that it >_is_ a timestamp; any server can always include any additional random bits >that it wants to make the space as big as it would like. RFC 2069, while suggesting that a good nonce value might involve a timestamp, does not specify what form a timestamp should take. I dare say that some of us will use the System/370 64-bit clock, while others of you will use an <asctime-date> or even a Triple-DES-encrypted <rfc850-date> with a reading from the Gita as the key. All are perfectly valid, and unpredictable from the spec. While a particular variety of server may have a limited set of nonces, the HTTP world will not. At least, not unless you count Apache's market share ;-) Ross Patterson Sterling Software, Inc. VM Software Division
Received on Wednesday, 21 January 1998 15:33:17 UTC