OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

wss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Fw: [wss] Issue: replay attacks & timestamp

Forwarding for Rich...

Cheers,

Christopher Ferris
STSM, Emerging e-business Industry Architecture
email: chrisfer@us.ibm.com
phone: +1 508 234 3624
----- Forwarded by Christopher B Ferris/Waltham/IBM on 06/13/2003 04:22 PM 
-----

Rich Salz <rsalz@datapower.com> 
06/13/2003 04:18 PM

To
Christopher B Ferris/Waltham/IBM@IBMUS
cc

Subject
Re: [wss] Issue: replay attacks & timestamp






{Until my membership/list status is cleared up, I would appreciate it if 
you could forward this for me... thanks.}

Traditionally replay has meant an adversary re-submitting a valid 
message to the intended recipient. Nonces and timestamps and (in the 
classic Kerberos phrasing) "loosely synchronized clocks" are the 
conventional way to prevent replay.

It has not been taken to mean someone taking a message and sending it to 
a different recipient.  I think misdirection might be a better term, 
since it also covers the case where the message *only* goes to the wrong 
recipient.  Particularly in a distributed system, wrong-recipient-B may 
have no way of knowing if proper-recipient-A ever saw the signature or 
not.

Misdirection hasn't been addressed very much.  For example, while S/MIME 
and its predecessors originated in the early 90's (RFC 1847, RFC 2311, 
etc), it was only in in June 2001 that Don Davis pointed out some 
problems; cf http://world.std.com/~dtd/sign_encrypt/summary.html
Encryption is the conventional way to prevent misdirection. If the 
message must remain in the clear, then it seems like an encrypted 
signature would be appropriate.  Failing that, Chris's concerns about 
SOAP role (actor), and the preference to use WS-Addressing if available, 
seem right on the mark; "+1" as they say.
                 /r$

-- 
Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]