- From: Thomas Duboucher via GitHub <sysbot+gh@w3.org>
- Date: Mon, 20 Feb 2023 17:48:15 +0000
- To: public-webauthn@w3.org
> If avoiding replay attacks is the only purpose of the challenge, then, at least according to my layman understanding of cryptography, that would mean that the only requirement would be preventing the same challenge from being used twice, not that it needs to be cryptographically random. The standard goes on to state that... @dolda2000 If the challenge _can be guessed in any way_, then the protocol is also - potentially - vulnerable to pre-play attack, i.e. generating and registering transaction in advance and playing it when needed. This attack is rarely seen or heard of, but can be worse than replay attack because you can perform it without seeing twice the message which makes detection or auditing it nearly impossible. -- GitHub Notification of comment by serianox Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1856#issuecomment-1437367956 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 20 February 2023 17:48:17 UTC