Nonce, a randomly generated token

Nonce is a randomly-generated, cryptographic token. Although nonce can be inserted anywhere in the SOAP message, it is typically inserted in the <UsernameToken> element.

Without nonce, when a UsernameToken is passed from one machine to another machine using a nonsecure transport, such as HTTP, the token might be intercepted and used in a replay attack. The user name token can be stolen even if we use XML digital signature and XML encryption.

The <wsse:Nonce> and <wsu:Created> elements are generated within the <wsse:UsernameToken> element and are used to validate the message.

The server checks the freshness of the message by verifying that the difference between nonce creation time, <wsu:Created>, and the current time, falls within a specified time period.

The server also checks a cache of used nonces to verify that the user name token in the received SOAP message has not been processed within the specified time period.

To add a nonce for the UsernameToken, we can specify it in the token generator for the user name token. When the token generator for the UsernameToken is specified, we can select the Add nonce option to include nonce in the user name token.

---

 

Related concepts

WS-Security enhancements
Distributed nonce cache

 

Related tasks

Distributing nonce caching to servers in a cluster

 

Related

Security considerations for Web services