design and implementation of "replay prevention windows"

[coderman@gmail.com (coderman)]

On Thu, Sep 26, 2013 at 4:05 PM, coderman <coderman@gmail.com> wrote:
> i'm looking for information on the design and implementation of replay
> windows in various protocols.


oddly enough, this is a surprisingly obtuse subject.  it is constrained by:
- the encryption and authentication primitives in use
- identity and session management concerns. (e.g. key agreement)
- and of course, run time resource constraints (memory, CPU, bandwidth, etc.)

Syverson's Replay Attack Taxonomy[0] (abridged):
- Run external attacks (one run of protocol to attack subsequent runs)
- Run internal attacks (using one part of protocol to attack itself in same run)
- Classic replay (no contemporaneous or repeated runs needed)
- Interleaving attacks (using concurrent runs of a protocol against
other runs of the same protocol)

provides a foundation for discussing replay attack prevention.


so far i've only come across one good reference design and
implementation of a replay window:
"RFC 4302 - IP Authentication Header - Appendix B: Extended (64-bit)
Sequence Numbers"
http://tools.ietf.org/html/rfc4302#page-28


and encountered a number of other options for replay prevention in the
context of key agreement or transport privacy:
- time stamping messages
- sequence numbering messages
- type tagging messages
- identity tagging messages (reflection prevention)
- ensuring full information priciple when using hash functions
- generating session keys without mutual trust
- triple passwords (kerberos)


additional resources invited; the journey continues...



0. "A taxonomy of replay attacks [cryptographic protocols]"
 http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA463948