December 19, 2013

3.2.4 Replay


In a replay attack, an attacker captures network traffic and then replays (or retransmits) the captured traffic at a later time, in order to gain unauthorized access to a system.

This type of attack may succeed in spite of encryption because even though the messages may be encrypted, and the attacker may not know what the actual keys and passwords are, the retransmission of valid logon messages may be sufficient to gain access to the network. This is the reason most certificates contain unique session identifiers and time stamps.

Packet sequencing, time stamps, digital signatures and session tokens (or hash) are countermeasures used against replay attacks:
  • Packet sequencing ensures that any packet received that is not in the proper order is dropped.
  • Time stamps ensure that any packet received outside a specified time window is dropped.
  • A session token is a one-time token or hash used to computationally transform a message such that it cannot be duplicated without being detected.
Replay attack is a type of "man-in-the-middle attack" as it involves surreptitiously intercepting traffic between two parties; a replay attack can be prevented using strong digital signatures that include time stamps and inclusion of unique information from the previous transaction such as the value of a constantly incremented packet sequence number.

A replay attack occurs when an attacker copies a stream of messages between two parties and replays the stream to one or more of the parties. Unless mitigated, the computers subject to the attack process the stream as legitimate messages, resulting in a range of bad consequences, such as redundant orders of an item.†

The impetus for deploying a replay attack include to gain access to resources, by replaying an authentication message and when used in a denial-of-service attack, can be used to look up resources in a target host.

No comments:

Post a Comment