On Mon March 30 2009, Victor Duchovni wrote: > - - - snip - - - > > Of course to prevent HMAC replay attacks, messages should contain nonces, > but with protocols using shared secret HMAC signatures, the nonce is > considered to be part of the message rather than the signature algorithm. >
That usage dates back to pre-computer days. Morse code and Teletype days. And yes, it was part of the message - the operator had to type it in theirself before entering the message (according to some simple rules). There have been world history changing events when some yahoo of a communications clerk failed to remove the added nonce from the message. But that is just the point - don't try to make up your own usages. Mike ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
