Replay Attacks
Network Systems Security

Mort Anvari


A Scenario of Replay
Attack
 Alice authorizes a transfer of funds from her account to Bob’s account
 An eavesdropping adversary makes a copy of this message
 Adversary replays this message at some later time

9/23/2004

2


Replay Attacks
 Adversary takes past messages and plays them again



whole or part of message
to same or different receiver

 Encryption algorithms not enough to counter replay attacks

9/23/2004

3

Freshness Identifiers
 Sender attaches a freshness identifier to message to help receiver
determine whether message is fresh
 Three types of freshness identifiers




nonces
timestamps
sequence numbers

9/23/2004

4


Nonces
 A random number generated for a special occasion
 Need to be unpredictable and not used before
 Disadvantage is not suitable for sending a stream of messages
 Mostly used in challenge-response protocols

9/23/2004

5


Timestamps

 Sender attaches an encrypted real-time timestamp to every message
 Receiver decrypts timestamp and compares it with current reading




if difference is sufficiently small, accept
message
otherwise discard message

 Problem is synchronization between sender and receiver

9/23/2004

6


Sequence Numbers
 Sender attaches a monotonically increasing counter value to every
message
 Sender needs to remember last used number and receiver needs to
remember largest received number

9/23/2004

7


Operation of Sequence
Numbers

 Sender increments sequence number by 1 after sending a message
 Receiver compares sequence number of received message with
largest received number




If larger than largest received number,
accept message and update largest
received number
If less than largest received number, discard
message

9/23/2004

8


Problem with Sequence
Numbers
 IPsec uses sequence number to counter replay attacks
 However reorder can occur in IP
 Messages with larger sequence number may arrive before messages
with smaller sequence numbers
 When reordered messages with smaller sequence numbers arrive
later, they will be discarded

9/23/2004

9



Anti-Replay Window Protocol
in IPsec
 Protect IPsec messages against replay attacks and counter the
problem of reorder
 Sender puts a sequence number in every message
 Receiver uses a sliding window to keep track of the received
sequence numbers

9/23/2004

10


Anti-Replay Window
1 2 3 •••

sequence
numbers • • •

w
•••
received before

r-w+1

right edge r

not yet received

assumed received



w is window size



r is right edge of window



Assume s is sequence number of next received message



Three cases to consider

9/23/2004

11


Cases of Anti-Replay
Window
 Case i: if s is smaller than sequence numbers in window, discard
message s

1


s

9/23/2004

w

r

12


Cases of Anti-Replay
Window
 Case ii: s is in window




if s has not been received yet, then deliver
message s
if s has been received, then discard
message s
1

9/23/2004

w

s


s

(discard)

(deliver)

r

13


Cases of Anti-Replay
Window
 Case iii: if s is larger than sequence numbers in window, then deliver
message s and slide the window so that s becomes its new right edge

window before shift

1

1

w

w

r

s


window after
shift
9/23/2004

14


Properties of Protocol
 Discrimination:
receiver delivers at most one copy of every message sent by sender

 w-Delivery:
receiver delivers at least one copy of each message that is neither
lost nor suffered a reorder of degree w or more, where w is window
size

9/23/2004

15


Problem with Anti-Replay
Window
 Receiver gets s, where s >> r
 Window shifts to right
 Many good messages that arrive later will be discarded

window before shift

1


w

r
9/23/2004

1

discarded good msgs

window after
shift

w

s
16


Automatic Shift vs. Controlled
Shift
 Automatic shift: window automatically shifts to the right to cover
the newly received sequence number without any consideration of
how far the newly received sequence number is ahead
 Controlled shift: if the newly received sequence number is far
ahead, discard it without shifting window in the hope that those
skipped sequence numbers may arrive later

9/23/2004


17


Three Properties of Controlled
Shift
 Adaptability


receiver determines whether to sacrifice a
newly received message according to the
current characteristics of the environment

 Rationality


receiver sacrifices only when messages that
could be saved are more than messages
that are sacrificed

 Sensibility


receiver stops sacrificing if it senses that
the messages it means to save are not likely
to come

9/23/2004

18



Additional Case with Controlled
Shift
 Case iv: s is more than w positions to the right of window






receiver estimates number of good messages it
is going to lose if it shifts the window to s
if the estimate is larger than d+1, where d is
the counter of discarded messages, and d+1 is
less than dmax, then receiver discards this
message and increments d by 1
otherwise, receiver delivers the message, shifts
the window to the right, and resets d to 0

9/23/2004

19


Another Problem with
Anti-Replay Window
 Computer may reset due to transient fault
 If either sender or receiver is reset and restarts from 0, then
synchronization on sequence numbers is lost


9/23/2004

20


Scenario of Sender Reset
 If p is reset, unbounded number of fresh messages are discarded by q

p
seq# : 50

reset

q

49 48

•••

3

2

1

0

seq# : 50

seq# : 0


fresh yet discarded by q

9/23/2004

21


Scenario of Receiver Reset
 If q is reset, it can accept unbounded number of replayed messages

inserted by
adversary

p
seq# : 50

49 48

•••

3

2

q

1

0


seq# : 50

reset
seq# : 0

replayed yet accepted by q

9/23/2004

22


Overcome Reset Problems
 IPsec Working Group: if reset, the SA is deleted and a new one is
established -- very expensive
 Our solution: periodically push current state of SA into persistent
memory; if reset, restore state of SA from this memory

9/23/2004

23


SAVE and FETCH
 When SAVE is executed, the last sequence number or right edge of
window will be stored in persistent memory
 When FETCH is executed, the last stored sequence number or right
edge of window will be loaded from persistent memory into memory


9/23/2004

24


SAVE at Sender
 s is sequence number at p
 Every Kp messages, p executes SAVE(s) to store current s in
persistent memory
 In spite of execution delay, SAVE(s) is guaranteed to complete before
message numbered s+Kp is sent

9/23/2004

25