Skip to main content

Avoid object reutilization

Requirement#

The system must guarantee that objects (session id, cookies, etc.) used in the authentication process cannot be reused (replay resistance).

Description#

In a system, it is necessary to prevent transmitted information from being reused by an attacker to impersonate an authorized user or server responses. Therefore, it is essential to verify the communications between the users and the system, thus avoiding a replay of any request that could affect the confidentiality, integrity and/or availability of the system.

Implementation#

In order to prevent this type of impersonation, there are several options to consider depending on the context and implementation method. Some good practices to avoid data reutilization are listed below:

  1. Cryptographic nonce: It consists of numbers that expire after their first use or after a small lapse of time, and through which the authenticity of a message can be verified. They are often randomized and used in authentication protocols to ensure that past communications cannot be reused.

  2. Timestamping: In order to implement this method, there must be a clock synchronization between the client and the server. The server will only accept messages with a date and time within a defined tolerance range. Thus, it minimizes the risk of potential attacks by significantly limiting the time windows for exploitation.

  3. Session Token: In this method, the server sends a token code which is used by the client to transform a key (e.g., applying hash functions to the key and token combination) before sending it again to the server as part of the authentication process. The server then processes this value, compares it with the initial token, and rejects the request if they do not match. Thus, an attacker cannot perform replay attacks because the token sent by the server will be different (token generation must be random).

  4. Session Time-out: Session objects are invalidated when the user terminates a session or when the user surpasses a certain time limit without posting new requests.

Attacks#

  1. Session hijacking
  2. Identity impersonation
  3. Man in the middle (MitM)
  4. Replay attack

Attributes#

  • Layer: Application layer
  • Asset: Session management
  • Scope: Authenticity
  • Phase: Construction
  • Type of control: Recommendation

References#