This discussion is archived
5 Replies Latest reply: Feb 20, 2013 3:49 AM by BillyVerreynne RSS

Generating nonces

BillyVerreynne Oracle ACE
Currently Being Moderated
Any suggestions for an elegant way to generating nonces in PL/SQL code? It needs to be pseudo random and unique (over a 5 minute period for example).

E.g. timestamp pus random number as a base64 string. Or GUID (which is also time based).
  • 1. Re: Generating nonces
    BluShadow Guru Moderator
    Currently Being Moderated
    I assume you mean:

    http://en.wikipedia.org/wiki/Cryptographic_nonce

    and not:

    http://en.wikipedia.org/wiki/Nonce_(slang)
  • 2. Re: Generating nonces
    BluShadow Guru Moderator
    Currently Being Moderated
    Billy  Verreynne  wrote:
    Any suggestions for an elegant way to generating nonces in PL/SQL code? It needs to be pseudo random and unique (over a 5 minute period for example).

    E.g. timestamp pus random number as a base64 string. Or GUID (which is also time based).
    Well, not done it myself before, but I would say that the moment you say "unique" you're talking of including some sort of sequence number, and then to make it pseudo-random, perhaps use some sort of hash or encryption with a little salt.
  • 3. Re: Generating nonces
    padders Pro
    Currently Being Moderated
    Would it be overly simplistic to suggest something like...
    sys_guid () || dbms_crypto.randombytes (n)
  • 4. Re: Generating nonces
    BluShadow Guru Moderator
    Currently Being Moderated
    padders wrote:
    Would it be overly simplistic to suggest something like...
    sys_guid () || dbms_crypto.randombytes (n)
    Looks good to me.... sys_guid() providing the uniqueness and random tagged onto the end for randomness. That would pretty much ensure that no two values are the same.
  • 5. Re: Generating nonces
    BillyVerreynne Oracle ACE
    Currently Being Moderated
    Yes, looks good. Was thinking of using sys_guid. However, not sure whether there is a potential size limitation issue. The nonce, and time string, are concatenated with a secret and then hashed using SHA-1.

    Have this problem with a well-known company's s/w where it chokes on auth tokens bigger than 16 or so characters. It hooks into the company's LDAP servers. My LDAP password is at times album titles in my version of 133t speak (have a wide taste in music) - and most of these passwords are more than 16 characters.*

    LDAP is fine with that. But each time it happens that my password exceeds a certain size, I loose access to this company's s/w as their auth refuses to accept the valid, and long, password.

    Learned the lesson that many hardcode string sizes to just a few characters unnecessarily... so now I'm waiting for confirmation as to what sizes the nonce can be...


     
    <i>* reserving "The Rise and Fall of Ziggy Stardust and The Spiders of Mars" for a special occasion</i> ;-)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points