3

How can I prevent replay attacks and add another layer of encryption to my application when using token based authentication ex: JSON Web authentication?

Adam Parkin
  • 17,891
  • 17
  • 66
  • 87
salutent
  • 43
  • 1
  • 3

2 Answers2

2

If you want to protect your application authentication from replay attacks, you can include a nonce (jti), expiration time (exp), and issued time (iat).

For more information see the spec.

A bit more details.

A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. [wikipedia]

So, if you are using a nonce the data can only be transmitted once therefore no re-transmission is possible. This prevents the classical replay attack.

To avoid delayed attacks the expiration time and issued time is used. This attack includes not only capturing the data traffic but also to interrupt the traffic of the victim. And interrupting the traffic takes time.

Sure, using the expiration time and the issued time is not a 100 percent solution but if you choose the values wisely you are minimizing the risk.

Paul Wasilewski
  • 9,762
  • 5
  • 45
  • 49
  • I don't understand how this can prevent replay attacks, since an attacker can intercept the packet and send to the server before the expiration time is hit claiming that he is the legimate user. Nonetheless I dont even see how https can prevent such a thing the attacker can always intercept the request and send it to get the correct response from the server even if the req is crypted ! – salutent Apr 11 '17 at 07:42
  • @salutent Please see my updated answer I have added some details. – Paul Wasilewski Apr 11 '17 at 08:22
  • I got it know. If the attacker interrupt the traffic and send the packets to the server claiming that he is the legitimate sender shouldn't be a real problem if my expiration time is set to let's say 3-4minutes ? – salutent Apr 11 '17 at 08:39
  • 1
    @salutent, the time you choose depends, among others, on your infrastructure and network. For example if you are operating in a local network the expiration time can be much shorter than operating in a mobile network. In my opinion you should determine empirically the expiration time according to your environment. – Paul Wasilewski Apr 11 '17 at 11:03
1

You can use https. You should use https.

Tom
  • 4,666
  • 2
  • 29
  • 48