Fix validation of unique nonce

djoos / EscapeWSSEAuthenticationBundle

Symfony bundle to implement WSSE authentication

http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html

137 stars 59 forks source link

Fix validation of unique nonce #16

Closed xelaris closed 11 years ago

xelaris commented 11 years ago

Due to an incorrect comparison of the nonce time with the current time, a nonce could be used multiple times within specified lifetime. Thus the implementation was vulnerable to replay attacks.

djoos commented 11 years ago

Hi @xelaris,

great, thanks for your important contribution!

Kind regards, David

nualoy commented 10 years ago

a nonce could be used multiple times within specified lifetime

What's the purpose of lifetime if not that?

djoos commented 10 years ago

@nuqqsa as mentioned in #26, the changes above were to prevent a nonce from being reused within a specified lifetime (replay attacks) and I don't see any issues with the PR that got merged here.

Kind regards, David

xelaris commented 10 years ago

The lifetime determines the time from the creation of the nonce until it's used. A nonce should be valid for one request only. Otherwise an attacker could be send the same request, without knowing the credentials (replay attack). Take a look at http://en.wikipedia.org/wiki/Cryptographic_nonce .

nualoy commented 10 years ago

Oh, I see. It makes sense, thank you for the clarification @xelaris.

djoos commented 10 years ago

Thanks @xelaris, have a great weekend!