Alice wants to talk to Bob.
Bob validates Alice is Alice by sending Alice a nonce.
Alice encrypts the nonce with a key.
Ben also knows what this key is.
Ben cannot remember asking Alice for communication due to the fact that he is operating on a stateless server. To get around this Alice send Ben his first communication request by sending the original nonce along with the encrypted nonce.
Would I be right in saying this is insecure because if this message containing the original nonce and the encrypted nonce were to be intercepted by a hacker - the two could be reverse engineering and the key 'K' could be obtained?
thanks
I initially wanted to say "don't give the raw string and the encrypted string", but that's pretty much the same as posting the raw data along with the HMAC-hash of the data + secret key at the end. If you're confident that your encryption algorithm is good and you are using a secret key then I don't see how this could be an issue.
However, the entire point of a nonce is to be used ONCE. Alice sends Bob a request with a nonce, and Bob knows that if he gets a request from Alice with that same nonce, ignore it, because it likely came from an attacker and not Alice herself. So you shouldn't be doing this in the first place.