Contemplating On The Heat Death Of Secure Nonce
Ensuring No Repeats With Monotonic Incrementing Nonce
The secure nonce is used for anti-replay services. Anti-replay services guarded over events that mark anti-replay boundaries. They are used in memory protection engine, secure storage, and secure service engines as DPA (Differential Power Analysis) protection factors and random seed bits for encryption, authentication, access control and replay prevention.
At boot time, OS may use secret nonce or just from a TRNG to generate an ephemeral wrapping key to synch the authentication between the trusted components.
During a secure boot, before the Sealed Root Key releases the key encryption key (KEK) which releases the keys to decipher the measurements of the software on the system, it needs to authenticate its internal sources of references. To further complicate the matter, it may implicate policy files (local + remote, + secure nonces).
If the critical security policy changes (for example, disabling services), it must come with secure nonces for each session to deter replays or attacker breaking the session to alter the intent of the content and context.
Anti-replays helps prevent older policy files or session contexts — which could have been configured for lower security —…