On Thu, Sep 26, 2013 at 4:05 PM, coderman <coderman@gmail.com> wrote:
i'm looking for information on the design and implementation of replay windows in various protocols.
oddly enough, this is a surprisingly obtuse subject. it is constrained by: - the encryption and authentication primitives in use - identity and session management concerns. (e.g. key agreement) - and of course, run time resource constraints (memory, CPU, bandwidth, etc.) Syverson's Replay Attack Taxonomy[0] (abridged): - Run external attacks (one run of protocol to attack subsequent runs) - Run internal attacks (using one part of protocol to attack itself in same run) - Classic replay (no contemporaneous or repeated runs needed) - Interleaving attacks (using concurrent runs of a protocol against other runs of the same protocol) provides a foundation for discussing replay attack prevention. so far i've only come across one good reference design and implementation of a replay window: "RFC 4302 - IP Authentication Header - Appendix B: Extended (64-bit) Sequence Numbers" http://tools.ietf.org/html/rfc4302#page-28 and encountered a number of other options for replay prevention in the context of key agreement or transport privacy: - time stamping messages - sequence numbering messages - type tagging messages - identity tagging messages (reflection prevention) - ensuring full information priciple when using hash functions - generating session keys without mutual trust - triple passwords (kerberos) additional resources invited; the journey continues... 0. "A taxonomy of replay attacks [cryptographic protocols]" http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA463948