W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Sign counter alg 507

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Tue, 05 Sep 2017 21:13:00 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-327305129-1504645969-sysbot+gh@w3.org>
> Why would it be a signal about a previous login and not the current one?

In the ideal case, where the token maintains a perfect, per-key counter, then an attacker who clones a token with a counter of n, will impersonate the victim by using a counter of n+1, because they want the attack to succeed. The victim will later try to authenticate and also use n+1, because that's the correct value for them, and trigger a counter mismatch. But the attempt with the bad counter value wasn't the attack, it was the victim tripping over the state change that the attack caused.

GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/539#issuecomment-327305129 using your GitHub account
Received on Tuesday, 5 September 2017 21:13:01 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC