Possible secuirty flaw in symmetric authentication

49 views Asked by At

Alice wants to talk to Bob.

Bob validates Alice is Alice by sending Alice a nonce.

Alice encrypts the nonce with a key.

Ben also knows what this key is.

Ben cannot remember asking Alice for communication due to the fact that he is operating on a stateless server. To get around this Alice send Ben his first communication request by sending the original nonce along with the encrypted nonce.

Would I be right in saying this is insecure because if this message containing the original nonce and the encrypted nonce were to be intercepted by a hacker - the two could be reverse engineering and the key 'K' could be obtained?

thanks

1

There are 1 answers

0
jraede On

I initially wanted to say "don't give the raw string and the encrypted string", but that's pretty much the same as posting the raw data along with the HMAC-hash of the data + secret key at the end. If you're confident that your encryption algorithm is good and you are using a secret key then I don't see how this could be an issue.

However, the entire point of a nonce is to be used ONCE. Alice sends Bob a request with a nonce, and Bob knows that if he gets a request from Alice with that same nonce, ignore it, because it likely came from an attacker and not Alice herself. So you shouldn't be doing this in the first place.