Artifact d7fd2b5de2bedff2bde02953d39637ad5dc26a6f
Ticket change [d7fd2b5de2] - New ticket02f9d037a4Login-Cards may be susceptible by a replay attack. by anonymous on 2009-11-04 03:24:14.
D 2009-11-04T03:24:14 J comment When\sI\sread\sthe\sdocumentation\sof\sthe\sfossil\ssync\sprotocol,\sI\snoticed\sthat\sa\snonce\sis\sused\swhich\sis\sa\sfunction\sof\sthe\smessage\scontents\sonly.\r\n\r\nThis\smeans\san\sattacker\scan\srecord\seach\smessage\sand\sreplay\sit\sat\sany\stime.\r\n\r\nIt\sis\snot\sclear\sto\sme\sfrom\sthe\sdocumentation\swhether\sor\snot\sany\spossible\smessage\scontains\ssome\sunique\sinformation\sthat\swill\snever\sbe\srepeated\sin\sany\slater\smessages.\r\n\r\nIf\sthis\sis\sthe\scase,\sfeel\sfree\sto\sclose\sthis\sticket\sbut\splease\sclarify\sthe\sdocumentation\saccordingly.\r\n\r\nOtherwise,\sI\swould\sstrongly\ssuggest\sto\sadd\ssome\ssort\sof\stransaction\scounter\sto\sthe\shash\sfrom\swhich\sthe\snonce\swill\sbe\screated.\r\n\r\nA\ssimple\sincrementing\scounter\sshould\ssuffice,\sas\sthe\shash\sfunction\swill\stotally\sgarble\sthe\sbits\sanyway.\r\n\r\nHowever,\seven\sthen\sthe\squestion\sarises\swhen\sthe\scounter\sis\sinitialized\sand\swhere\sit\sis\sstored.\r\n\r\nFor\sthat\sreason,\sit\smight\sbe\sbetter\sif\sthe\sserver\screated\sa\s"session\sstring"\sat\sthe\sbeginning\sof\seach\ssync\ssession\sand\ssends\sit\sto\sthe\sclient.\r\n\r\nThis\sstring\scould\sconsist,\sfor\sinstance,\sof\sthe\scurrent\sdate\sand\stime\splus\sa\ssmall\srandom\snumber\sin\sorder\sto\sthwart\sscripted\sreplay\sattacks\swhich\smight\sexploit\sa\slow\sclock\sresolution\sof\sthe\sserver.\r\n\r\nThis\ssession\sstring\sis\sthen\saugmented\sby\san\sinteger\scounter\sthat\sstarts\sat\s0\sat\sthe\sbeginning\sof\seach\ssession.\r\n\r\nUsing\sthis\sor\sa\ssimilar\sscheme\swill\sguarantee\sthat\seach\scombination\sof\ssession\sstring\sand\smessage\scounter\swill\salways\sbe\sunique,\sand\san\sattacker\shas\sno\schance\sof\slaunching\sa\sreplay\sattack. J foundin f57990b65a J private_contact 481f3560ef506266e325518f83fffaf73b492a99 J severity Important J status Open J title Login-Cards\smay\sbe\ssusceptible\sby\sa\sreplay\sattack J type Code_Defect K 02f9d037a407bb37a188e5ff9139235aa3bfe276 U anonymous Z bbe060ba8e06fa55852da0746907dbf9