Difference between revisions of "User authentication allows for replay attack"

From Safeval Wiki
Jump to: navigation, search
(Created page with "The absence of encryption mechanisms in the user authentication process and the lack of a distinct temporal component for each authentication allows the authentication process...")
 
 
Line 1: Line 1:
 
The absence of encryption mechanisms in the user authentication process and the lack of a distinct temporal component for each authentication allows the authentication process communication packages to be intercepted, recorded and replayed to authenticate again. Even if the attacker does not know exactly what was the authentication credentials used, he can reproduce the authentication packages to forge an user authentication.
 
The absence of encryption mechanisms in the user authentication process and the lack of a distinct temporal component for each authentication allows the authentication process communication packages to be intercepted, recorded and replayed to authenticate again. Even if the attacker does not know exactly what was the authentication credentials used, he can reproduce the authentication packages to forge an user authentication.
  
"The authentication process shall be done encrypted and must contain a unique, sequential or temporal component that prevents the same communication package used to authenticate the user at a given time, allow a new authentication at a later time.  
+
The authentication process shall be done encrypted and must contain a unique, sequential or temporal component that prevents the same communication package used to authenticate the user at a given time, allow a new authentication at a later time.  
  
 
The following authentication mechanisms allows greater safety in the user authentication process:
 
The following authentication mechanisms allows greater safety in the user authentication process:
  
1) Challenge/Response
+
# Challenge/response
2) Kerberos
+
# Kerberos
3) Public/Private key
+
# Public/private key
  
If the operating system or the base platform for your system offers a safe authentication mechanism, is usually better to use it."
+
If the operating system or the base platform for your system offers a safe authentication mechanism, is usually better to use it.
  
 
[[pt:Autenticação do usuário permite o ataque de repetição]]
 
[[pt:Autenticação do usuário permite o ataque de repetição]]
 
[[es:Autenticación de usuarios permite ataque de reproducción]]
 
[[es:Autenticación de usuarios permite ataque de reproducción]]

Latest revision as of 17:00, 13 April 2015

The absence of encryption mechanisms in the user authentication process and the lack of a distinct temporal component for each authentication allows the authentication process communication packages to be intercepted, recorded and replayed to authenticate again. Even if the attacker does not know exactly what was the authentication credentials used, he can reproduce the authentication packages to forge an user authentication.

The authentication process shall be done encrypted and must contain a unique, sequential or temporal component that prevents the same communication package used to authenticate the user at a given time, allow a new authentication at a later time.

The following authentication mechanisms allows greater safety in the user authentication process:

  1. Challenge/response
  2. Kerberos
  3. Public/private key

If the operating system or the base platform for your system offers a safe authentication mechanism, is usually better to use it.