Replay attacks vs man in the middle
mart at degeneration.co.uk
Fri May 20 11:48:13 PDT 2005
Brad Fitzpatrick wrote:
> On Fri, 20 May 2005, Imran Ghory wrote:
>>On 5/20/05, Brad Fitzpatrick <brad at danga.com> wrote:
>>>The DSA signature with timestamp is there so consumers who DO care about
>>>freshness can use the timestamp to make sure a signature was issued only
>>>in the past $n minutes. And because the signature as a whole was signed
>>>using a random number, the entire signature itself is a nonce, so the
>>>consumer site can prevent replay attacks by just not accepting that digest
>>>That said, am I still missing something?
>>The problem with that is that the consumer site has to keep a record
>>of every single digest.
> True, but to be fair: only those within the allowed time window. Not all
> of history. But I'm with you on wanting to make it as cheap as possible
> to run this all.
The difference really is between tracking pending requests vs. tracking
past requests. For most sites, I think there will be less pending at a
given moment than there are past.
Nonces are, as far as I can see, a good idea. However, I think they
should be optional, or at least consumers should be free to ignore them
and supply garbage or the same value each time. It does reduce security,
but some sites are small and want to be completely stateless. These
sites can still make use of the timestamp to provide a limit to the
damage a replay attack can cause.
I suppose it comes down to whether the nonce is returned back to the
consumer from the ID server. If it is, then the consumer is free to
generate garbage and just use the value the ID server gives back rather
than storing the nonce. This gives the illusion that it's noncing. If
instead it's generating the same nonce each time, it'll make it much
obvious to a potential attacker. Security through obscurity, admittedly,
but since it's only the one site that is in danger not a major problem.
More information about the yadis