[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Issue 069 - WS-Discovery - Preventing replay attack using[message id] property is impractical
Hi all, Based on our discussions on this
issue during the face to face modified proposal for this issue is attached.
This proposal lists the mechanisms including the timestamp mechanism described
in WS-Security that the implementations can use to prevent the replay attack. This
is provided as a guidance without introducing any additional requirements the
implementations can choose to use these mechanisms based on the scenario,
capabilities and level of replay protection they need. Thanks, Vipul From: Ram Jeyaraman
[mailto:Ram.Jeyaraman@microsoft.com] This issue is assigned the number 069. For further
discussions on this issue, please refer to this issue number or use this
thread. From: Vipul Modi Please defer discussions on this issue until a time this
issue is accepted and is assigned a number. Description: Section 9 Security Consideration of the current
specification recommends signing a [message id] property of the message and
discarding any messages with same [message id] property. In order to
effectively implement the replay attack prevention by implementing duplicate
[message id] detection would require a large amount of storage to cache the
[message id] property of the messages received so far. Proposed Resolution: WS-Security recommends using Timestamps to prevent replay
attacks. WS-Discovery should be using the same mechanism. In order to provide a
low footprint d:Security/d:Sig should include an attribute called
“Created”. The value of this attribute is of type xsd:dateTime.
This should be expanded in to wsu:Created element inside wsu:Timestamp element
with wsu:id=”timestamp” and included in the canonicalization
and signature verification. <d:Security ... > [<d:Sig Scheme="xs:anyURI"
[KeyId="xs:base64Binary"]?
Refs="..." Sig="xs:base64Binary"
Created=”xs:dateTime” ...
/>]? ... </d:Security> <S11:Header> <wsse:Security> <wsu:Timestamp wsu:Id="timestamp">
<wsu:Created>2001-09-13T08:42:00Z</wsu:Created> </wsu:Timestamp> |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]