[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Fw: [wss] Issue: replay attacks & timestamp
Forwarding for Rich... Cheers, Christopher Ferris STSM, Emerging e-business Industry Architecture email: chrisfer@us.ibm.com phone: +1 508 234 3624 ----- Forwarded by Christopher B Ferris/Waltham/IBM on 06/13/2003 04:22 PM ----- Rich Salz <rsalz@datapower.com> 06/13/2003 04:18 PM To Christopher B Ferris/Waltham/IBM@IBMUS cc Subject Re: [wss] Issue: replay attacks & timestamp {Until my membership/list status is cleared up, I would appreciate it if you could forward this for me... thanks.} Traditionally replay has meant an adversary re-submitting a valid message to the intended recipient. Nonces and timestamps and (in the classic Kerberos phrasing) "loosely synchronized clocks" are the conventional way to prevent replay. It has not been taken to mean someone taking a message and sending it to a different recipient. I think misdirection might be a better term, since it also covers the case where the message *only* goes to the wrong recipient. Particularly in a distributed system, wrong-recipient-B may have no way of knowing if proper-recipient-A ever saw the signature or not. Misdirection hasn't been addressed very much. For example, while S/MIME and its predecessors originated in the early 90's (RFC 1847, RFC 2311, etc), it was only in in June 2001 that Don Davis pointed out some problems; cf http://world.std.com/~dtd/sign_encrypt/summary.html Encryption is the conventional way to prevent misdirection. If the message must remain in the clear, then it seems like an encrypted signature would be appropriate. Failing that, Chris's concerns about SOAP role (actor), and the preference to use WS-Addressing if available, seem right on the mark; "+1" as they say. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]