Replay attacks vs man in the middle

Brad Fitzpatrick brad at
Fri May 20 10:25:30 PDT 2005

On Fri, 20 May 2005, Imran Ghory wrote:

> On 5/20/05, Brad Fitzpatrick <brad at> wrote:
> > The DSA signature with timestamp is there so consumers who DO care about
> > freshness can use the timestamp to make sure a signature was issued only
> > in the past $n minutes.  And because the signature as a whole was signed
> > using a random number, the entire signature itself is a nonce, so the
> > consumer site can prevent replay attacks by just not accepting that digest
> > ever again.
> >
> > That said, am I still missing something?
> The problem with that is that the consumer site has to keep a record
> of every single digest.

True, but to be fair:  only those within the allowed time window.  Not all
of history.  But I'm with you on wanting to make it as cheap as possible
to run this all.

> The advantage of a nonce is that it fixes the
> problem while not requiring a database to store all of the digests and
> hence makes it significantly cheaper to implement securely.

So what's the flow look like?  The consumer server process generates the
nonce, stores it, sends it in the identity server, and the identity server
signs it?

What does the the consumer site do to keep track of twice-used nonces?
Just keep track of not-yet-used nonces, right?  And if they're never used
in some large time window, the consumer can forget about them?

I guess it's really up to the consumer how to deal with their nonces, but
if I got the flow right, it's certainly easy to add.

- Brad

More information about the yadis mailing list