Here’s the scenario:
I have a client-server-application where the client sends encrypted data to a server and the server performs a routine based on the clientdata.
How can I prevent that someone sniffs the sent data and resend it to the server so the server performs the command and maybe gives a non-authorized person access to sensitive data or even grant a login?
Here’s the scenario: I have a client-server-application where the client sends encrypted data to
Share
Require clients to obtain a nonce – a number only used once – from the server before sending any commands. After a nonce has been sent to the client, any command from that client which doesn’t include the nonce you laste gave it is obviously a forgery. Even if someone sniffs the nonce, they won’t be able to use it as they don’t know the encryption key required to create their own message, and the same someone will be unable to reuse older requests as they won’t match any currently active nonce.
EDIT: obviously, you could use various smart ways to generate a nonce on the client to avoid the extra roundtrip, but that’s going to be trickier.