Why is it important never to reuse a nonce?

I started my career in coding working with WordPress and learned the word “nonce” from that community. Unfortunately for me, the nonce used by WordPress isn’t a nonce at all.

A nonce is a “number used once.” It’s a random (or pseudo-random) number used in various cryptographic operations. In authentication schemes, a nonce protects from old communications being replayed against a server. In encryption schemes, a nonce ensures a certain amount of unpredictability.

When a nonce is reused, though, the entirety of the cryptographic operation it aimed to protect breaks down.

Replay attacks

In a simple case, imagine a client attempting to invoke functions against a server.

The client/server authentication scheme isn’t what we want to look at here. Instead, assume the client invokes functionality by sending an authentication header, a function name, and its parameters to the server.

The server validates the client’s authentication, executes the declared function, and returns its results.

Assume now that a third party has captured the request and sends it again to the server. The server has no way to distinguish between a legitimate double request and a replay attack, so it executes the function again!

If we change things to introduce a nonce, this attack is stopped cold.

The client sends a random nonce along with the request, and the server keeps track of the nonce when it executes the function. If anyone (the client or an attacker) resubmits an identical request, the server returns an error because of the reused nonce.

Protect your APIs by requiring a nonce, and ensure your server both keeps track of and checks for nonce reuse.

Broken encryption

The advanced encryption standard (AES) uses a nonce as an initialization vector to set up the random state of the algorithm. In this way, you can encrypt the same data with the same key twice, but get different outputs if you use different nonces.

If, instead, you reuse a nonce you break the secrecy of the algorithm.

If two messages are encrypted using the same key and the same nonce, you’ve leaked the XOR of the bytes in the two messages. In short, this means that if one message is known, the other can be extracted trivially. Nonce reuse in AES makes it completely useless to protect data.

Generating truly random data is safe, secure, and fast with modern computers. If you have a need for random number than you’ll only use once, we have the tools available for you to create one. There is no excuse – ever – to reuse a number intended for only a single use.