[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Issue 069 - WS-Discovery - Preventing replay attack using [messageid] property is impractical
|
This issue is assigned the number 069. For further
discussions on this issue, please refer to this issue number or use this
thread. From: Vipul Modi Please defer discussions on this issue until a time this
issue is accepted and is assigned a number. Description: Section 9 Security Consideration of the current
specification recommends signing a [message id] property of the message and discarding
any messages with same [message id] property. In order to effectively implement
the replay attack prevention by implementing duplicate [message id] detection
would require a large amount of storage to cache the [message id] property of
the messages received so far. Proposed Resolution: WS-Security recommends using Timestamps to prevent replay
attacks. WS-Discovery should be using the same mechanism. In order to provide a
low footprint d:Security/d:Sig should include an attribute called “Created”.
The value of this attribute is of type xsd:dateTime. This should be expanded in
to wsu:Created element inside wsu:Timestamp element with wsu:id=”timestamp”
and included in the canonicalization and signature verification. <d:Security ... > [<d:Sig Scheme="xs:anyURI"
[KeyId="xs:base64Binary"]?
Refs="..." Sig="xs:base64Binary"
Created=”xs:dateTime” ...
/>]? ... </d:Security> <S11:Header> <wsse:Security> <wsu:Timestamp wsu:Id="timestamp"> <wsu:Created>2001-09-13T08:42:00Z</wsu:Created> </wsu:Timestamp> |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]