[cryptography] design and implementation of "replay prevention windows"

coderman coderman at gmail.com
Wed Oct 30 21:07:16 EDT 2013

On Thu, Sep 26, 2013 at 4:05 PM, coderman <coderman at gmail.com> wrote:
> i'm looking for information on the design and implementation of replay
> windows in various protocols.

oddly enough, this is a surprisingly obtuse subject.  it is constrained by:
- the encryption and authentication primitives in use
- identity and session management concerns. (e.g. key agreement)
- and of course, run time resource constraints (memory, CPU, bandwidth, etc.)

Syverson's Replay Attack Taxonomy[0] (abridged):
- Run external attacks (one run of protocol to attack subsequent runs)
- Run internal attacks (using one part of protocol to attack itself in same run)
- Classic replay (no contemporaneous or repeated runs needed)
- Interleaving attacks (using concurrent runs of a protocol against
other runs of the same protocol)

provides a foundation for discussing replay attack prevention.

so far i've only come across one good reference design and
implementation of a replay window:
"RFC 4302 - IP Authentication Header - Appendix B: Extended (64-bit)
Sequence Numbers"

and encountered a number of other options for replay prevention in the
context of key agreement or transport privacy:
- time stamping messages
- sequence numbering messages
- type tagging messages
- identity tagging messages (reflection prevention)
- ensuring full information priciple when using hash functions
- generating session keys without mutual trust
- triple passwords (kerberos)

additional resources invited; the journey continues...

0. "A taxonomy of replay attacks [cryptographic protocols]"

More information about the cryptography mailing list