I was thinking of putting a time stamp in signed part of the message to reject stale request.
On Feb 7, 6:49 pm, Bruce Clement <[email protected]> wrote: > Your protocol looks like it would be vulnerable to a replay attack > (http://en.wikipedia.org/wiki/Replay_attack) which would act as a DOS > on your printer > > To mitigate you'd need to have something in the signed part of the > message that guarantees uniqueness, e.g. a challenge response or a > "sequence number" (Don't make it strict, just require something that > is larger than the previous accepted request from the user) > > -- > Bruce Clement > > Home: http://www.clement.co.nz/ > Twitter: http://twitter.com/Bruce_Clement > Directory:http://www.searchme.co.nz/ > > "Before attempting to create something new, it is vital to have a good > appreciation of everything that already exists in this field." Mikhail > Kalashnikov -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected]
