Replay attacks vs man in the middle

Martin Atkins mart at
Fri May 20 11:48:13 PDT 2005

Brad Fitzpatrick wrote:
> On Fri, 20 May 2005, Imran Ghory wrote:
>>On 5/20/05, Brad Fitzpatrick <brad at> wrote:
>>>The DSA signature with timestamp is there so consumers who DO care about
>>>freshness can use the timestamp to make sure a signature was issued only
>>>in the past $n minutes.  And because the signature as a whole was signed
>>>using a random number, the entire signature itself is a nonce, so the
>>>consumer site can prevent replay attacks by just not accepting that digest
>>>ever again.
>>>That said, am I still missing something?
>>The problem with that is that the consumer site has to keep a record
>>of every single digest.
> True, but to be fair:  only those within the allowed time window.  Not all
> of history.  But I'm with you on wanting to make it as cheap as possible
> to run this all.

The difference really is between tracking pending requests vs. tracking 
past requests. For most sites, I think there will be less pending at a 
given moment than there are past.

Nonces are, as far as I can see, a good idea. However, I think they 
should be optional, or at least consumers should be free to ignore them 
and supply garbage or the same value each time. It does reduce security, 
but some sites are small and want to be completely stateless. These 
sites can still make use of the timestamp to provide a limit to the 
damage a replay attack can cause.

I suppose it comes down to whether the nonce is returned back to the 
consumer from the ID server. If it is, then the consumer is free to 
generate garbage and just use the value the ID server gives back rather 
than storing the nonce. This gives the illusion that it's noncing. If 
instead it's generating the same nonce each time, it'll make it much 
obvious to a potential attacker. Security through obscurity, admittedly, 
but since it's only the one site that is in danger not a major problem.

More information about the yadis mailing list