design and implementation of "replay prevention windows"
coderman
coderman@gmail.com
Wed Oct 30 18:07:16 PDT 2013
On Thu, Sep 26, 2013 at 4:05 PM, coderman <coderman@gmail.com> wrote:
> i'm looking for information on the design and implementation of replay
> windows in various protocols.
oddly enough, this is a surprisingly obtuse subject. it is constrained by:
- the encryption and authentication primitives in use
- identity and session management concerns. (e.g. key agreement)
- and of course, run time resource constraints (memory, CPU, bandwidth, etc.)
Syverson's Replay Attack Taxonomy[0] (abridged):
- Run external attacks (one run of protocol to attack subsequent runs)
- Run internal attacks (using one part of protocol to attack itself in same run)
- Classic replay (no contemporaneous or repeated runs needed)
- Interleaving attacks (using concurrent runs of a protocol against
other runs of the same protocol)
provides a foundation for discussing replay attack prevention.
so far i've only come across one good reference design and
implementation of a replay window:
"RFC 4302 - IP Authentication Header - Appendix B: Extended (64-bit)
Sequence Numbers"
http://tools.ietf.org/html/rfc4302#page-28
and encountered a number of other options for replay prevention in the
context of key agreement or transport privacy:
- time stamping messages
- sequence numbering messages
- type tagging messages
- identity tagging messages (reflection prevention)
- ensuring full information priciple when using hash functions
- generating session keys without mutual trust
- triple passwords (kerberos)
additional resources invited; the journey continues...
0. "A taxonomy of replay attacks [cryptographic protocols]"
http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA463948
More information about the cypherpunks
mailing list