A replay attack is a crypto-analytical form of attack on the authenticity of data in a communication protocol. In this case, the attacker sends previously recorded data to simulate a foreign identity, for example. Suppose Alice wants to prove her identity to Bob. They both know Alice’s secret password. Alice calculates the hash value of her password using a cryptographic hash function and sends it to Bob. Bob compares the hash value with his calculation and accepts. Meanwhile, Mallory eavesdrops on the communication and records the hash value sent by Alice. After the communication ends, Mallory connects with Bob, pretends to be Alice, and sends the recorded hash value (replay). Mallory is able to successfully impersonate Alice, even though she doesn’t know the password. The Needham-Schroeder protocol in its original form is vulnerable to a replay attack.
Countermeasures
One way to prevent replay attacks is to use a nonce: Alice adds a random number (nonce) to the hash value calculation in addition to the password, which is only used once. Alice tells Bob the nonce in plain text so that Bob can repeat the hash value calculation. Bob remembers the nonce he received and discards messages that contain a nonce that has already been used. However, this method is impractical, as Alice and Bob have to permanently store the nonces used. A timestamp can also be used instead of a nonce. The advantage of a timestamp is that you can see if it is outdated and therefore invalid without having to remember old values. However, there must always be a validity period to tolerate transmission delays and time offset. During the validity period, the procedure is susceptible to replay attacks.
A modified variant is the challenge-response authentication: here Bob sends the nonce to Alice in plain text (challenge). Alice transforms the password together with the nonce into a hash value and sends the result back to Bob (Response). Bob, in turn, performs the same transformation and compares his result to Alice’s result: if both match, Bob accepts Alice’s identity. Now, when Mallory tries to reuse an intercepted hash value, Bob sends a different nonce; the spied hash value is now invalid (because it was generated with a different nonce). Bob rejects because his result and the delivered (outdated) hash value don’t match.
---
To protect continuous data transmission across multiple data packets, a sequence number can be used, the authenticity of which is in turn ensured by a Message Authentication Code. In the case of IPsec, for example, this is provided for both the Authentication Header and the Encapsulating Security Payload. Depending on the operating mode, data transmission encrypted with a block cipher can also provide protection against replay attacks.
One-time passwords, i.e. passwords that are only valid for a short time and then change, are another preventive measure.
Tagged With dugozm