[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replay attacks

To: skip-info@tik.ee.ethz.ch
Subject: Re: replay attacks
From: Germano Caronni <caronni@tik.ee.ethz.ch>
Date: Wed, 13 Sep 1995 23:30:26 +0200 (MET DST)
Cc: ipsec@ans.net
In-Reply-To: <199509132027.QAA15692@flagstaff.Princeton.EDU> from "dawagner@phoenix.Princeton.EDU" at Sep 13, 95 11:08:34 pm

dawagner@phoenix.Princeton.EDU wrote:
> > Using e.g. keyed MD5 or whatever one could place a time stamp with sufficent
> > granularity into the 'key' part of the authenticated data. So the MAC would
> > only be correct if the receiver gets it in the same time-frame.
> 
> A design decision to use timestamps would have some annoying consequences:
> 
> * the sender & receiver must synchronize their clocks
> * all clock code (e.g. NTP) becomes security-critical

This is a severe drawback. You are right. Is there another way to achieve
reliable sequencing, if you do not use an initial negotiation between the
two machines supposed to interact? (If you use initial negotiation you can
design a protocol where the two machines exchange the 'delta' of their
clocks in a untamperable way - but I guess that is not what we want.)

> * attackers can still replay within the allowed time window
> * the time window must be at least the MSL (~ 2 minutes)

The time window can be choosen rather large, if you combine the timestamp
with the sequence number approach. (see my reply to O'Malleys mail) But then
again you could not place the sequence number into the 'key' part of the MAC, 
otherwise the receiver would have to guess it.

Germano

Prev by Date: Re: replay attacks
Next by Date: Photuris questions
Prev by thread: Re: replay attacks
Next by thread: Re: replay attacks
Index(es):
- Main
- Thread