4

Since a nonce must be unique and that time only goes forward, is it safe to use the Unix epoch as nonce ?

My use case is be AES w/ GCM which recommends a nonce length of 12B. Current Unix time can be represented using 4B, so that leaves the upper 8B free for future timestamps (plenty of space).

One possible security implication is the forgery of NTP replies, which would cause the client to use a Unix timestamp in the past (i.e. breaks the stream cipher). Secure channels should prevent this from happening, but a bad operator could always force bad NTP replies.

Dreadlockyx
  • 344
  • 4
  • 13

1 Answers1

6

Using a Unix Timestamp as the sole source for the nonce would make me nervous.

In addition to forged NTP replies (and legitimate operators deliberately resetting the clock for some reason, and I'm not sure whether leap seconds would pose a risk), you also would need to worry about "what if I send two messages within the same second"

On the other hand, you have 12 bytes to play with; if you use four of the bytes to hold the Unix timestamp, and use another four as a counter (which you increment every time you send a message), and the other four as something else, that'd be a system which would be more resilient against nonce repeats.

poncho
  • 154,064
  • 12
  • 239
  • 382