"Alexander Schrab" <Alexander.Schrab@axis.com> wrote:
Well, not really. That is the most simple way of doing it. But there are several other ways that are better. One possible idea is to use part of the nonce as a signature of the rest of the nonce. And part of the nonce can be a time stamp. This way the impact of replay attacks and DoS attacks can be minimized. Anyhow, you can do it a lot more complicated than random :)
If you do send random nonces, you have to protect against replay attacks. Putting a timestamp in the nonce means that it's easier to protect against replays. The issue is somewhat similar in the use of the State attribute. I think it's easiest to put common code in the server core to do this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog