Astronomical nonce sense

Ed Felten discusses an interesting dispute among astronomers regarding how long scholars should withhold discoveries so they can retain exclusive access and get credit for more original papers. (Aside: As I note in his comments, while this is largely self-governing because everybody has incentives to publish, there are occasional extreme examples of scholarly hoarding, such as the decades-long embargo on publication of some Dead Sea Scroll materials.)

The security angle on this is that the dispute is about whether the Spaniards scooped the Americans by reverse-engineering a temporary name published in an advance abstract of a paper. The temporary name contained a date that could have served as an index into a telescope activity log, revealing the position of the newly-discovered object.

The lesson is that a cookies or nonces (temporary data values to be used only once) should usually, in security applications, be content-free (long, random, unpredictable, and generated with a random number generator not prone to reverse engineering itself). Structured or predictable nonces can lead to information leaks or to vulnerability to forgery. Short nonces fall to brute-force search.

Leave a Reply