This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

How replay attacks can be harmful?

When sensitive information is exchanged or critical transactions are performed over the network, it becomes necessary to secure the communication. General requirements of secure message communication are authentication, integrity, confidentiality and non-repudiation. These requirements can be achieved through transport level security or message level security mechanisms such as security tokens, signature and encryption. Even though you adopt these mechanisms to secure a message, a secure message can be intercepted on the wire and the message can be resent repeatedly to the same endpoint and cause severe damage, unless there is a mechanism to verify the validity/originality of the message.

For an example:

  • A user logs into an online banking application and performs a transaction.
  • An attacker traces the messages exchanged during the process.
  • The attacker resends the sequence of messages involved with a login step, to login and steal money from the bank account.

Timestamp in WS-Security

Due to replay attacks, it is important to validate the freshness of a message before performing any operation that the message invokes. This validation can be performed either in the business logic or security processing layer of the platform in a generic manner. If your SOAP message processing engine supports WS-Security to achieve message level security; the Timestamp element defined there helps verifying the message validity in terms of time.

What is WS-Security?

WS-Security is a specification that defines a framework to enable security related information -as specified by mechanisms such as XML security, XML signature etc- be embedded in the SOAP message.

The Timestamp element allows the sender to express the creation and expiration times of the security semantics of the message, using which, the recipient can validate the freshness of the security semantics of the message to mitigate replay attacks.

The following is the schema of Timestamp element.

<wsu:timestamp wsu:id="...">  
	<wsu:created valuetype="...">...</wsu:created>  
	<wsu:expires valuetype="...">...</wsu:expires>  
	...  
</wsu:timestamp>
  • No labels