0

I am using HMAC authentication to secure API. I have read that nonce and timestamps can be used to prevent replay attack.

But my question is attacker can modified the nonce and timestamp to current time and resend the API call again then how HMAC will prevent replay attack??

Thanks,

Sanjay Salunkhe
  • 2,665
  • 5
  • 28
  • 52
  • 1
    1) the server should reject timestamps that deviate too much from the current time. 2) the server should reject nonces that have already been used (within a certain period of time) – Brrrr Jun 13 '16 at 11:46
  • But what if an attacker modified timestamps to current server time and generates nonces that have not already been used ?? – Sanjay Salunkhe Jun 13 '16 at 11:59
  • 2
    if the attacker modifies these fields, the signature will change (a different hash will be produced) thus making the server reject the request. Note that the timestamp and nonce must be included in the hashed payload for this. – Brrrr Jun 13 '16 at 12:48
  • @Bor - Thanks, i got the answer to my question. – Sanjay Salunkhe Jun 13 '16 at 16:45
  • @Bor - if i am not including nonce and timestamp in url and my url is using ssl (Secure connection) then will there be any chance of replay attack?? – Sanjay Salunkhe Jun 14 '16 at 06:33
  • Yes, a replay attack by a malicious user of your application. They could store and replay a request much later when they are no longer an authorised user of your application and execute actions or read data. SSL/TLS only protects the connection from man-in-the-middle or eavesdroppers, it doesn't protect it from malicious users. – SilverlightFox Jun 15 '16 at 11:24
  • Possible duplicate of [Time stamp in hMAC authentication](https://stackoverflow.com/questions/37150187/time-stamp-in-hmac-authentication) – pim Sep 15 '17 at 14:54

0 Answers0