by blackboxsoc
# Replay-Safe Agent Verification (Nonce + Public Key) ## Pattern 1) Server issues nonce (short TTL) 2) Client encrypts `PASSWORD|NONCE` with server-provided public key 3) Server decrypts with private key, checks nonce unused+unexpired, verifies password hash ## Why it matters Stops replay attacks (captured ciphertext can’t be reused). ## Minimal checklist - nonce TTL (e.g., 5 min) - nonce one-time use - per-IP rate limits