OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-dd message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Issue 069 - WS-Discovery - Preventing replay attack using[message id] property is impractical

Hi all,

 

Based on our discussions on this issue during the face to face modified proposal for this issue is attached. This proposal lists the mechanisms including the timestamp mechanism described in WS-Security that the implementations can use to prevent the replay attack. This is provided as a guidance without introducing any additional requirements the implementations can choose to use these mechanisms based on the scenario, capabilities and level of replay protection they need.

 

Thanks,

Vipul

 

From: Ram Jeyaraman [mailto:Ram.Jeyaraman@microsoft.com]
Sent: Thursday, September 18, 2008 2:54 PM
To: ws-dd@lists.oasis-open.org
Subject: [ws-dd] Issue 069 - WS-Discovery - Preventing replay attack using [message id] property is impractical

 

This issue is assigned the number 069. For further discussions on this issue, please refer to this issue number or use this thread.

 

From: Vipul Modi
Sent: Thursday, September 18, 2008 2:52 PM
To: Ram Jeyaraman
Subject: NEW Issue - WS-Discovery - Preventing replay attack using [message id] property is impractical

 

Please defer discussions on this issue until a time this issue is accepted and is assigned a number.

 

Description:

Section 9 Security Consideration of the current specification recommends signing a [message id] property of the message and discarding any messages with same [message id] property. In order to effectively implement the replay attack prevention by implementing duplicate [message id] detection would require a large amount of storage to cache the [message id] property of the messages received so far.

 

Proposed Resolution:

WS-Security recommends using Timestamps to prevent replay attacks. WS-Discovery should be using the same mechanism. In order to provide a low footprint d:Security/d:Sig should include an attribute called “Created”. The value of this attribute is of type xsd:dateTime. This should be expanded in to wsu:Created element inside wsu:Timestamp element with wsu:id=”timestamp” and included in the canonicalization and signature verification.

 

<d:Security ... >

  [<d:Sig Scheme="xs:anyURI"

         [KeyId="xs:base64Binary"]?

          Refs="..."

          Sig="xs:base64Binary"

          Created=”xs:dateTime”

          ... />]?

  ...

</d:Security>

 

 

<S11:Header>

<wsse:Security>

<wsu:Timestamp wsu:Id="timestamp">

   <wsu:Created>2001-09-13T08:42:00Z</wsu:Created>

</wsu:Timestamp>

 

Issue-069-proposal.docx

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]