[Standards-JIG] jep-secure updated

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Thu Mar 18 19:50:02 UTC 2004


I've added a <window> field to the sender now, so that the timeframe is no 
longer a hard coded value.  This was mainly to experiment with the idea of 
having a very large window.

But now I think I have discovered a hole in the replay protection regarding 
offline messages.  If the timestamp of the last secure message of a session 
is within X/2 time of the previous such session timestamp, then any offline 
messages stamped within that timeframe could be replayed.  For small windows, 
this risk is minimal, but for large windows it becomes more apparent.  What 
we need is a solution that has zero risk no matter what the window size is.

-Justin

On Wednesday 17 March 2004 7:23 pm, Justin Karneges wrote:
> Alright, I've updated the JEP according to all of the latest discussion.
>
>   http://delta.affinix.com/specs/jep-secure.html
>
> -Justin
> _______________________________________________
> Standards-JIG mailing list
> Standards-JIG at jabber.org
> https://jabberstudio.org/mailman/listinfo/standards-jig



More information about the Standards mailing list