W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Sign counter alg 507

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Tue, 05 Sep 2017 21:13:00 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-327305129-1504645969-sysbot+gh@w3.org>
> Why would it be a signal about a previous login and not the current one?

In the ideal case, where the token maintains a perfect, per-key counter, then an attacker who clones a token with a counter of n, will impersonate the victim by using a counter of n+1, because they want the attack to succeed. The victim will later try to authenticate and also use n+1, because that's the correct value for them, and trigger a counter mismatch. But the attempt with the bad counter value wasn't the attack, it was the victim tripping over the state change that the attack caused.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/539#issuecomment-327305129 using your GitHub account
Received on Tuesday, 5 September 2017 21:13:01 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC