Questions tagged [replay-detection]

33 questions
40
votes
3 answers

How does JTI prevent a JWT from being replayed?

According to the JWT RFC a JWT can optionally have a JTI which I interpret to be a unique ID for a JWT. It seems like a UUID is a good value for a JTI. The RFC claims that the JTI can be used to prevent the JWT from being replayed. Two…
ams
  • 613
  • 1
  • 5
  • 7
6
votes
2 answers

How to access Replay Protected Memory Block (RPMB) in eMMC?

RPMB is a special partition in eMMC 4.5. Internet research suggests that it is used for saving keys and is the only special partition that responds to commands like READ, WRITE. etc. Can anyone explain to me how to use RPMB and how it can actually…
Satya
  • 61
  • 1
  • 1
  • 5
5
votes
1 answer

SSO via HMAC and shared key. Can this be improved?

Given an authenticated user on A.com, we want to redirect the user to B.com so that she'll be immedaitely authenticated. The scheme I'm considering is very basic: A.com and B.com both share key S. On A.com, redirect the user to…
5
votes
1 answer

Preventing replay attacks with JWT

I am currently building a RESTful API that will be used for a web and mobile app. Authentication to the API will be done using JSON Web Tokens. When using JWT, we can use the exp claim to expire the token after a specific time. This, combined with…
BenM
  • 153
  • 1
  • 4
5
votes
1 answer

HMAC password reset link and replay attacks

I like the look of this technique for sending password reset links: https://neosmart.net/blog/2015/using-hmac-signatures-to-avoid-database-writes/ (TLDR: don't store token in database. Send password reset link w email address, expiry time, and…
Neil McGuigan
  • 3,379
  • 1
  • 16
  • 20
4
votes
4 answers

Securing REST API without HTTPS

I'm developing a REST API but I am unable to use HTTPS without using self-signed certificates. I understand that that might be acceptable for some, but I don't want security messages popping up on client browsers. The information being passed on the…
Aaron D
  • 190
  • 2
  • 11
4
votes
1 answer

Kerberos replay attack

Suppose I want to send a command to a print server on a netwerk that has been secured with Kerberos. To do so, I authenticate myself to the KDC and get a TGT, and then another ticket from the TGS for the print server. I then authenticate myself to…
Nimyz
  • 203
  • 2
  • 5
4
votes
3 answers

How do websites protect against 2fa replay attacks?

I'm imagining a scenario where an attacker can read traffic between a user and a server. The attacker grabs the user's password and the 2fa code they used. The attacker then logs in with that information before the 2fa code expires. How is this…
Daffy
  • 261
  • 1
  • 5
4
votes
1 answer

What is a replay attack for OpenVPN

I'm trying to understand why would I have less security if I disable a replay attack protection in OpenVPN config. It's not really explained in the man page, only Don't use this option unless you are prepared to make a trade-off of greater…
vbezhenar
  • 257
  • 2
  • 6
4
votes
3 answers

Why would a replay attack be considered a threat to integrity and not confidentiality?

I came across a test where the instructions were to circle all the correct answers. I'm looking for an explanation to the answer for this question: Question: a replay attack is a threat against Answers: 1) confidentiality 2) integrity 3)…
Celeritas
  • 10,039
  • 22
  • 77
  • 144
3
votes
1 answer

Challenge Response with a Tan Book?

i am trying to secure a connection between a Mobile Device (Client) using a webApp and a Home Device (Server) in a potentially unsafe Wifi Network. The communication is asynchronous and i am trying to prevent "replay attacks". I was thinking about…
Andresch Serj
  • 217
  • 1
  • 8
3
votes
1 answer

When SSL detect a replay attack?

Suppose an attacker records all messages of a SSL handshake (RSA one-way), and starts a replay attack. When (after which message) can the server possibly detect the attack? Now suppose the attacker changes strategy, and sends the first three phases…
AlphaSnake
  • 33
  • 5
3
votes
2 answers

SSL Finished message contents

I'm a little bit confused about the contents of Finished Message used during Handshake Protocol. In particular, this message (clientside) contains the connection-id originally sent from the server and it also contains a hash value derived from all…
Spartacus
  • 31
  • 1
  • 3
3
votes
1 answer

What extra protection is added to an REST API over HTTPS by the use of some kind of HMAC?

I'm designing a RESTFUL API that will always be used over HTTPS, what security advantages over the use of HTTP Basic Auth could be brought to my system by using such kind of message authentication codes? Example of HMAC could be this one of AWS.
user30395
3
votes
1 answer

Freshness Protection in BL and BLE

I recently found this document: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-121r2.pdf , Guide to Bluetooth Security from NIST. Unfortunately, there is nothing described w.r.t.actual protection of the communication other than…
Marc
  • 31
  • 3
1
2 3