How long do you have to remember a nonce?

11 views
Skip to first unread message

Alan Karp

unread,
Jun 15, 2026, 6:39:35 PMJun 15
to <friam@googlegroups.com>
I've been reading a bunch of specs as part of my homework for the Trusted AI Agent Working Group.  These specs frequently use nonces to protect against replay attacks.  The question is, how long do you have to remember the nonce?  I think forever unless you attach an expiration date to it, which I've never seen done.

What am I missing?

It's not an issue for the systems I'm looking at because the thing the nonce is protecting has an expiration date, but aren't nonces used for things that don't expire?

--------------
Alan Karp

Mark S. Miller

unread,
Jun 15, 2026, 7:57:19 PMJun 15
to fr...@googlegroups.com
A nonce used for what purpose?


--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z3T7kf2tEJxZMdn%2B9BW6JqJ8OohjiVYHgJYnbBCg-LuYg%40mail.gmail.com.


--
  Cheers,
  --MarkM

Mark S. Miller

unread,
Jun 15, 2026, 7:57:53 PMJun 15
to fr...@googlegroups.com
For replay attacks, an incrementing number is fine.

--
  Cheers,
  --MarkM

Alan Karp

unread,
Jun 15, 2026, 8:22:00 PMJun 15
to fr...@googlegroups.com
On Mon, Jun 15, 2026 at 4:57 PM Mark S. Miller <eri...@gmail.com> wrote:
For replay attacks, an incrementing number is fine.


That's what I thought, but at least one system uses a base-64 unpredictable string to prevent replay.

--------------
Alan Karp


Mark S. Miller

unread,
Jun 15, 2026, 8:34:43 PMJun 15
to fr...@googlegroups.com
Why? Speaking to your original question, *that* creates an unnecessary memory obligation.


  Cheers,
  --MarkM

Alan Karp

unread,
Jun 15, 2026, 8:50:37 PMJun 15
to fr...@googlegroups.com
We're equally puzzled.  I pointed out the problem when reviewing another spec, and it got changed.

--------------
Alan Karp


Raoul Duke

unread,
Jun 15, 2026, 9:06:11 PMJun 15
to fr...@googlegroups.com
(also, can it "just" be a digital signature so you don't actually have to remember anything long term in the server side user/request database other than the pki info?)

Alan Karp

unread,
Jun 15, 2026, 10:17:15 PMJun 15
to fr...@googlegroups.com
On Mon, Jun 15, 2026 at 6:06 PM Raoul Duke <rao...@gmail.com> wrote:
(also, can it "just" be a digital signature so you don't actually have to remember anything long term in the server side user/request database other than the pki info?)


It depends.  If the certificate grants you some permission, its use is idempotent.  If, on the other hand, the certificate transfers $5 from you to me, then I can present it many times if there's no replay defense..

--------------
Alan Karp


On Mon, Jun 15, 2026 at 6:06 PM Raoul Duke <rao...@gmail.com> wrote:
(also, can it "just" be a digital signature so you don't actually have to remember anything long term in the server side user/request database other than the pki info?)

--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.

Raoul Duke

unread,
Jun 16, 2026, 12:10:42 AMJun 16
to fr...@googlegroups.com
so it needs an expiry in the nonce payload & you retain the "used" flag in the db up until that expiry date, then forget everything because the nonce cannot be used thereafter?

i mean banks must have a way to handle depositing checks st most once (but they have more ways to claw back if it goes wrong, of course!)

Alan Karp

unread,
Jun 16, 2026, 1:31:58 AMJun 16
to fr...@googlegroups.com
On Mon, Jun 15, 2026 at 9:10 PM Raoul Duke <rao...@gmail.com> wrote:
so it needs an expiry in the nonce payload & you retain the "used" flag in the db up until that expiry date, then forget everything because the nonce cannot be used thereafter?


Exactly, but I've never heard of that being done with a nonce.  Of course, the other answer is to have an expiration date on the thing the nonce is protecting.  Maybe that's done, but it's not always specified.

--------------
Alan Karp

Rob Meijer

unread,
Jun 16, 2026, 2:14:52 AMJun 16
to fr...@googlegroups.com
Not necessarily. You can sometimes have the best of both worlds by using a KDF. 

https://libsodium.gitbook.io/doc/key_derivation

This is particularly convenient when using hash-based signatures because you basically need to treat entropy as a resource anyway for OTS keys, so why not
use it for the nonces also?

Alan Karp

unread,
Jun 16, 2026, 10:56:14 AMJun 16
to fr...@googlegroups.com
On Mon, Jun 15, 2026 at 11:14 PM Rob Meijer <pib...@gmail.com> wrote:
Not necessarily. You can sometimes have the best of both worlds by using a KDF. 

https://libsodium.gitbook.io/doc/key_derivation

This is particularly convenient when using hash-based signatures because you basically need to treat entropy as a resource anyway for OTS keys, so why not
use it for the nonces also?

That's a way to generate a nonce, but I don't see how it's related to the nonce storage problem.

--------------
Alan Karp
Reply all
Reply to author
Forward
0 new messages