cryptographic nonce

A nonce is a random or semi-random number that is generated for a specific use, typically related to cryptographic communication or information technology. The term itself stands for “number used once” or “number once” and is most commonly referred to specifically as a cryptographic nonce.

Typically, a nonce is some value that varies with time, in order to verify that specific values are not reused. A nonce can be a timestamp, a visit counter on a Web page or a special marker intended to limit or prevent the unauthorized replay or reproduction of a file.

Types of nonce values

A nonce can be categorized based on how it is generated, either randomly or sequentially. A random nonce is produced by stringing arbitrary numbers together while a sequential nonce is produced incrementally. Using the sequential nonce method guarantees that values are not repeated, cannot be replayed and do not take up unnecessary space. However, using the random nonce method safeguards against attackers that collect multiple keys within the system. Ideally, a nonce will have a random and a sequential portion.

Use cases for a nonce

Nonce values can be used for a variety of IT applications, including:

  • Authentication- Authentication protocols can use a nonce to ensure that old communications cannot be reprocessed. For example, ordering a product using an e-commerce site typically uses a nonce to assign originality to a purchase. Without this, an attacker could potentially replay the encrypted information as many times as desired to continue placing orders under the same name and purchase information.
  • Hashing- Proof of work systems use nonce values to vary input to a cryptographic hash function. This helps fulfill arbitrary conditions and obtain a desired difficulty.
  • Initialization- An initialization vector (IV) is a nonce used for data encryption. The IV, used only once in any session, prevents a repetition of sequences in encrypted text. Identifying such repetitions can help an attacker break a cipher.
  • Identity management- Account recovery, two-factor authentication (2FA) or single sign-on (SSO) features can employ the use of nonce values.
  • Electronic signatures- Secret nonce values are sometimes used by e-signature tools to create, compare and verify signatures.
  • Cryptocurrency- In certain cryptocurrencies, a nonce is used to create a cryptographic hash that connects to a blockchain In Bitcoin mining, a golden nonce refers to a hash value that is lower than the target difficulty.
  • Asymmetric cryptography- In specific instances of public key cryptography, like in the SSL/TLS handshake, two unique nonce values are exchanged. One value is provided by the client while the other is provided by the server, protecting each connection from attacks or interventions.

History of the term

In general usage, nonce means "for the immediate occasion" or "for now." A nonce word is a neologism (newly coined word) that is created for a single use, such as inclusion in a work of fiction. However, once created, nonce words often make their way into common language. For example, Lewis Carroll coined the word "chortle" for the poem "Jabberwocky" and James Joyce created the word "quark" for his novel "Finnegan's Wake."

This was last updated in May 2019

Continue Reading About cryptographic nonce

Dig Deeper on Web application and API security best practices