5

I'm planning to use the crypto_box() functions of Nacl (or, alternatively, the crypto_box_easy() functions of libsodium) to encrypt messages as part of a client/server protocol. The server has to deal with multiple clients and each message from a client to the server is encrypted using the public key of the server and signed with the private key of the client.

The cypto_box() functions also require me to provide a nonce. The current message number could be used as a nonceā€“to my understanding, the nonce is necessarily known to an attacker who is capable of keeping track of how many messages were exchanged. Both, the client and server would then maintain a message counter and simply use the newest counter value as a nonce.

However, I must deal with the case where messages are reordered or lost. Therefore I'd send the nonce in plaintext alongside the encrypted message. As long as the same nonce is not used twice, I don't see any problems with this approach. Did I miss out on something?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
dsd
  • 151
  • 2

1 Answers1

3

The only requirement posed to the nonce in the "Security Model" paragraph of the crypto_box documentation is uniqueness for each pair of communicating parties. In fact, the documentation explicitly recommends incrementing nonces starting from zero (which an attacker could easily brute-force) or random nonces (which need to be transmitted together with the ciphertext anyway).

Therefore, sending the nonce publicly should be secure (unless some underlying primitive is broken, of course).

yyyyyyy
  • 12,261
  • 4
  • 48
  • 68