preventing the replay attack in the protocols
when you are designing a protocol over an insecure channel, some security features, like signature etc, would add to make it difficult for people to attack, however, when it is over an insecure channel, unauthorized parties can still sniff through the network and resue the request as will. this is known as the replay attack, as long as your secret (may be password, algorithms etc.) is still unknown to the unauthorized parties, your content is still safe, however, if the request is somehow part of the protocol, you are still put yourself at risk.
in order to prevent the "replay attack", the easiest way is to use the "one-time" token in the protocols, for every request, the "one time" token is examined and the server end makes sure that the tokens do not recieved before, however, if you are going to design the internet application, the cost is hugh as the server is requires to save all the tokens to check. in order to leverage this situation, timestamp can be introduced to expire the token with the trade off of exposing to the replay attack within a period of time, depending on how frequent the tokens being expired.
disclaimer: this is not the comprehensive design of the secure protocol, it is simply a blog article in describing security topic.
an open question – how to design a secure protocol with untrusted client?
interesting question in the internet world! can you think of an example in your daily work if you are a developer.
我的朋友
flickr 圖片
|
分類
頁面
- experimental projects
- hong kong official translation for internet
- hong kong official translation for lightword theme in wordpress (香港中文版)
- hong kong official translation for wordpress (香港中文版)
日曆
標籤
額外資訊
ha.ckers.org
- The Effect of Snakeoil Security 2010年9月4日
- Browser Detection Autopwn, etc… 2010年9月4日
techcrunch
- As It Moves Away From The Wikis, Wetpaint Launches TV News And Entertainment Site 2010年9月6日
- Rollover Minutes: How Adam Penenberg Has Legitimised New, New, New Journalism. Again. 2010年9月6日
张化桥的BLOG
touch aracde
- Labor Day Weekend Sales Extravaganza
- Video of Cyan's Upcoming 'Stoneship: The Curse of a Thousand Islands'
inside socialgames
- This Week’s Headlines on Inside Facebook 2010年9月5日
- Thanks To Our Sponsors 2010年9月4日
h security
- The H Week - Tablets, Ubuntu 10.10, Chrome 6, & QuickTime vulnerabilities 2010年9月4日
- Microsoft hardening tool with graphical user interface 2010年9月3日
metasploit
- Better, Faster, Stronger: DLLHijackAuditKit v2 2010年8月25日
- Exploiting DLL Hijacking Flaws 2010年8月23日
gnucitizen
- ColdFusion directory traversal FAQ (CVE-2010-2861) 2010年8月13日
- 1ST European Edition of HITB Coming Up! 2010年6月24日
security shell
- ZAP - Zed Attack Proxy v1.0 2010年9月4日
- Cross Site Request Forgery (CSRF) PoC Template 2010年9月3日
offensive security
- Metasploit Unleashed – Updates 2010年8月26日
- Microsoft DLL Hijacking Exploit in Action 2010年8月24日
zero day
- Barbers and security professionals 2010年9月2日
- Google Chrome celebrates 2nd birthday with security patches 2010年9月2日
mashable
- Disgraced HP CEO Mark Hurd Might Work for Oracle 2010年9月5日
- Should You Search Social Media Sites for Job Candidate Information? 2010年9月5日
inside facebook
- This Week’s Headlines on Inside Social Games 2010年9月5日
- Thanks to Our Sponsors 2010年9月4日
virtual goods news
facebook developer blog
- Facebook Developer Garage with Girls in Tech 2010年8月31日
- Social From the Ground Up 2010年8月26日
code project
- Using Alerts in Android 2010年9月5日
- MultiColumnTree 2010年9月5日
code guru
- Microsoft's Newest Obstacle: The Mobile Video Game War Begins 2010年9月3日
- Binding Data to Silverlight 4.0 Controls Using ASP.NET MVC Framework 2.0 2010年9月3日
stack overflow
- How to merge array using PHP? 2010年9月6日
- How do you programmatically get through a firewall to a SOAP server from a remote client? 2010年9月6日
我的最愛
                  |
