Replay Attacks
Network Systems Security
Mort Anvari
A Scenario of Replay
Attack
Alice authorizes a transfer of funds from her account to Bob’s account
An eavesdropping adversary makes a copy of this message
Adversary replays this message at some later time
9/23/2004
2
Replay Attacks
Adversary takes past messages and plays them again
whole or part of message
to same or different receiver
Encryption algorithms not enough to counter replay attacks
9/23/2004
3
Freshness Identifiers
Sender attaches a freshness identifier to message to help receiver
determine whether message is fresh
Three types of freshness identifiers
nonces
timestamps
sequence numbers
9/23/2004
4
Nonces
A random number generated for a special occasion
Need to be unpredictable and not used before
Disadvantage is not suitable for sending a stream of messages
Mostly used in challenge-response protocols
9/23/2004
5
Timestamps
Sender attaches an encrypted real-time timestamp to every message
Receiver decrypts timestamp and compares it with current reading
if difference is sufficiently small, accept
message
otherwise discard message
Problem is synchronization between sender and receiver
9/23/2004
6
Sequence Numbers
Sender attaches a monotonically increasing counter value to every
message
Sender needs to remember last used number and receiver needs to
remember largest received number
9/23/2004
7
Operation of Sequence
Numbers
Sender increments sequence number by 1 after sending a message
Receiver compares sequence number of received message with
largest received number
If larger than largest received number,
accept message and update largest
received number
If less than largest received number, discard
message
9/23/2004
8
Problem with Sequence
Numbers
IPsec uses sequence number to counter replay attacks
However reorder can occur in IP
Messages with larger sequence number may arrive before messages
with smaller sequence numbers
When reordered messages with smaller sequence numbers arrive
later, they will be discarded
9/23/2004
9
Anti-Replay Window Protocol
in IPsec
Protect IPsec messages against replay attacks and counter the
problem of reorder
Sender puts a sequence number in every message
Receiver uses a sliding window to keep track of the received
sequence numbers
9/23/2004
10
Anti-Replay Window
1 2 3 •••
sequence
numbers • • •
w
•••
received before
r-w+1
right edge r
not yet received
assumed received
w is window size
r is right edge of window
Assume s is sequence number of next received message
Three cases to consider
9/23/2004
11
Cases of Anti-Replay
Window
Case i: if s is smaller than sequence numbers in window, discard
message s
1
s
9/23/2004
w
r
12
Cases of Anti-Replay
Window
Case ii: s is in window
if s has not been received yet, then deliver
message s
if s has been received, then discard
message s
1
9/23/2004
w
s
s
(discard)
(deliver)
r
13
Cases of Anti-Replay
Window
Case iii: if s is larger than sequence numbers in window, then deliver
message s and slide the window so that s becomes its new right edge
window before shift
1
1
w
w
r
s
window after
shift
9/23/2004
14
Properties of Protocol
Discrimination:
receiver delivers at most one copy of every message sent by sender
w-Delivery:
receiver delivers at least one copy of each message that is neither
lost nor suffered a reorder of degree w or more, where w is window
size
9/23/2004
15
Problem with Anti-Replay
Window
Receiver gets s, where s >> r
Window shifts to right
Many good messages that arrive later will be discarded
window before shift
1
w
r
9/23/2004
1
discarded good msgs
window after
shift
w
s
16
Automatic Shift vs. Controlled
Shift
Automatic shift: window automatically shifts to the right to cover
the newly received sequence number without any consideration of
how far the newly received sequence number is ahead
Controlled shift: if the newly received sequence number is far
ahead, discard it without shifting window in the hope that those
skipped sequence numbers may arrive later
9/23/2004
17
Three Properties of Controlled
Shift
Adaptability
receiver determines whether to sacrifice a
newly received message according to the
current characteristics of the environment
Rationality
receiver sacrifices only when messages that
could be saved are more than messages
that are sacrificed
Sensibility
receiver stops sacrificing if it senses that
the messages it means to save are not likely
to come
9/23/2004
18
Additional Case with Controlled
Shift
Case iv: s is more than w positions to the right of window
receiver estimates number of good messages it
is going to lose if it shifts the window to s
if the estimate is larger than d+1, where d is
the counter of discarded messages, and d+1 is
less than dmax, then receiver discards this
message and increments d by 1
otherwise, receiver delivers the message, shifts
the window to the right, and resets d to 0
9/23/2004
19
Another Problem with
Anti-Replay Window
Computer may reset due to transient fault
If either sender or receiver is reset and restarts from 0, then
synchronization on sequence numbers is lost
9/23/2004
20
Scenario of Sender Reset
If p is reset, unbounded number of fresh messages are discarded by q
p
seq# : 50
reset
q
49 48
•••
3
2
1
0
seq# : 50
seq# : 0
fresh yet discarded by q
9/23/2004
21
Scenario of Receiver Reset
If q is reset, it can accept unbounded number of replayed messages
inserted by
adversary
p
seq# : 50
49 48
•••
3
2
q
1
0
seq# : 50
reset
seq# : 0
replayed yet accepted by q
9/23/2004
22
Overcome Reset Problems
IPsec Working Group: if reset, the SA is deleted and a new one is
established -- very expensive
Our solution: periodically push current state of SA into persistent
memory; if reset, restore state of SA from this memory
9/23/2004
23
SAVE and FETCH
When SAVE is executed, the last sequence number or right edge of
window will be stored in persistent memory
When FETCH is executed, the last stored sequence number or right
edge of window will be loaded from persistent memory into memory
9/23/2004
24
SAVE at Sender
s is sequence number at p
Every Kp messages, p executes SAVE(s) to store current s in
persistent memory
In spite of execution delay, SAVE(s) is guaranteed to complete before
message numbered s+Kp is sent
9/23/2004
25