[Standards-JIG] The Great Encryption Debate
justin-keyword-jabber.093179 at affinix.com
Thu Aug 4 01:38:37 UTC 2005
On Wednesday 03 August 2005 06:16 pm, Ian Paterson wrote:
> Unless I've neglected something, offline session replay attacks are
> easily prevented without resorting to comparing timestamps. So there are
> no clock synchronization issues to deal with.
Yes, this looks good.
Now, another issue: what if the user is unable to publish new values prior to
logging off, such as in the event of a network outage (or worse, some sort of
attack) ? It seems to me that the client should submit new values as soon as
possible, perhaps right after logging in. The client would then use both the
old and new values for decoding messages received during that session.
More information about the Standards