Nonces should be used for the present occasion and only once.
View on MITREPotentially a replay attack, in which an attacker could send the same data twice, could be crafted if nonces are allowed to be reused. This could allow a user to send a message which masquerades as a valid message from a valid user.
Refuse to reuse nonce values.
Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces.
No detection method information available for this CWE.
This code takes a password, concatenates it with a nonce, then encrypts it before sending over a network:
Because the nonce used is always the same, an attacker can impersonate a trusted party by intercepting and resending the encrypted password. This attack avoids the need to learn the unencrypted password.
This code sends a command to a remote server, using an encrypted password and nonce to prove the command is from a trusted party:
Once again the nonce used is always the same. An attacker may be able to replay previous legitimate commands or execute new arbitrary commands.
No relationship information available for this CWE.
CWE-323: Reusing a Nonce, Key Pair in Encryption is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Nonces should be used for the present occasion and only once.
If exploited, CWE-323 (Reusing a Nonce, Key Pair in Encryption) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism and Gain Privileges or Assume Identity.
Recommended mitigations for CWE-323 include: Refuse to reuse nonce values. Use techniques such as requiring incrementing, time based and/or challenge response to assure uniqueness of nonces.
CWE-323 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
A CWE (Common Weakness Enumeration) like CWE-323 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.