View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
000238810000-004: Servicespublic2013-02-21 21:292013-10-10 23:07
ReporterMatthias Damm Assigned ToMatthias Damm  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version1.03 
Summary0002388: Check of nonces for duplicates
Description

For ClientNonces used in OpenSecureChannel und CreateSession there is a status code Bad_NonceInvalid. The desciption of the status implies that the server checks for duplicates:
"The nonce does appear to be not a random value or it is not the correct length"

The stack handles the ClientNonce exchanged for the SecureChannel Services. The application layer has no access to this ClientNonce. Therefore the ClientNonce passed in to CreateSession can not be compared with the one used in OpenSecureChannel. Only the stack would be able to check for duplicates during renew of the channel.

What is the expected behaviour?

Additional Information

A client would be able to check duplictes for ServerNonces. What should a client do if he finds such duplicates?
Stop connection establishment?

TagsNo tags attached.
Commit Version
Fix Due Date

Activities

Jim Luth

2013-03-19 16:25

administrator   ~0004586

Discussed in telecon. UA Servers and clients are not expected to any checking of nonces that would require keeping a history of used nonces. On the other hand, the CTT should keep a complete history of nonces over a session to determine if randomness is achieved.

Part 4 needs to be changed to indicate only the length of the nonce should be checked (and possibly rejected) by the receiving party.

Matthias Damm

2013-09-24 21:41

developer   ~0005003

Added clarification the following clarification to status Bad_NonceInvalid for OpenSecureChannel:
A server shall check the minimum length of the client nonce and return this status if the length is below 32 bytes. A check for duplicated nonces can only be done in OpenSecureChannel calls with the request type RENEW_1.

Added clarification the following clarification to status Bad_NonceInvalid for CreateSession:
A server shall check the minimum length of the client nonce and return this status if the length is below 32 bytes. A check for duplicated nonces is optional and requires access to the nonce used to create the secure channel.

Resolved in document IEC 62541-4 - Services [Pre-CDV] 1.02.03.doc

Jim Luth

2013-10-10 23:07

administrator   ~0005060

Agreed in previous telecon.

Issue History

Date Modified Username Field Change
2013-02-21 21:29 Matthias Damm New Issue
2013-03-19 16:22 Jim Luth Status new => assigned
2013-03-19 16:22 Jim Luth Assigned To => Matthias Damm
2013-03-19 16:25 Jim Luth Note Added: 0004586
2013-09-24 21:41 Matthias Damm Status assigned => resolved
2013-09-24 21:41 Matthias Damm Resolution open => fixed
2013-09-24 21:41 Matthias Damm Note Added: 0005003
2013-10-10 23:07 Jim Luth Status resolved => closed
2013-10-10 23:07 Jim Luth Note Added: 0005060
2013-10-10 23:07 Jim Luth Fixed in Version => 1.03