[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 169: Replay of Hash
In the Username Token Profile after line 142 insert: The countermeasures above do not cover the case where the token is replayed to a different receiver. There are several possible approaches to counter this threat, which may be used seperately or in combination. Their use requires pre-arrangement (possibly in the form of a published profile) among the communicating parties to provide interoperability. - including the username in the hash, to thwart cases where multiple user accounts have matching passwords (e.g. passwords based on company name) - including the domain name in the hash, to thwart cases where the same username/password is used in multiple systems - including some indication of the intended receiver in the hash, to thwart cases where receiving systems don't share nonce caches (e.g., two separate application clusters in the same security domain). Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]