Skip to main content

Flow with device nonce

Device nonce is meant to bind specific device to the transaction. It is up to relying Party (RP) how to implement device nonce generation, but it is recommended that it is generated independently on the device and RP. If there is no relevant data to be used in device nonce generation, flow without device nonce may be used.

Data to use

When generating device nonce, it is recommended to use data that:

  • is unique per-device (no two devices/accounts use the same data value)
  • is already known by both device and server so they were not transmitted together with server nonce to device. Examples of such data:
    • unique device/user/account identifier that is already present on device
    • public key (hash of the public key) that is unique per device and is known by server
    • etc...

Optionally, some request-related data (request identifier, session identifier, etc.) could be also included when generating device nonce if it is meaningful.

Algorithm example

Device nonce generation algorithm is up to RP. But, since the device nonce value is also sent by RP to the Attestation API, it is strongly recommended to hash the data.

The simplest approach would be convert all data to binary data, concatenate them in defined order, and then hash it:

deviceNonce = HASH(dataValue_1 || dataValue_2 || ... || dataValue_N)

Hash algorithm would be up to RP, but it is recommended to use at least SHA-256.

Example approach that could be used:

  • Choose some data which are available, depending of the RP request/flow. Lets assume two values are used:
    • user identifier
    • account identifier
  • Convert values to binary form
    • userIdentifierRaw
    • accountIdentifierRaw
  • Concatenate the data: deviceNonceData = userIdentifierRaw || accountIdentifierRaw
  • Hash the data: deviceNonce = SHA-256(deviceNonceData)

Final nonce composition

The final nonce (also referred to as expected nonce) is the value that gets embedded in the attestation token and that the Attestation API checks during verification.

With device nonce

When device nonce is used, it is taken as raw bytes and appended to the server nonce's raw bytes. Then, the result is hashed with SHA-256 algorithm.

finalNonce = SHA-256(serverNonce || deviceNonce)

Without device nonce

If device nonce is not used, the server nonce, as is, becomes the final nonce.