Re: HTTP Signatures specification updated from Manu Sporny on 2014-02-08 (public-webpayments@w3.org from February 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Fri, 07 Feb 2014 21:28:17 -0500
To: public-webpayments@w3.org
Message-ID: <52F59641.7020009@digitalbazaar.com>

On 02/04/2014 01:36 AM, Melvin Carvalho wrote:
> The HTTP Signatures specification is utilized by the Web Payments 
> specification, the Secure Messaging specification, and the Web
> Identity specification, which are then used by most every other
> specification that this group is working on that requires REST API
> authentication.
> 
> Is there a possible replay attack where the same transaction may be 
> actioned more than the intended number of times?

Yes, if the payment processor doesn't implement proper replay protection
it's a problem. Replay protection will be a requirement of the Web
Payments spec (given a request to process a payment via the REST API).

In HTTP Signatures, the idea is that the nonce is the datetime, if
nothing else is provided. Datetimes can have arbitrary precision for
times used in HTTP signatures:

2014-02-06T07:06:00.000073Z
                   ^^^^^^^

We'll probably require nanosecond precision for the Web Payments spec.

So, in the very worst case, payment processors should use the datetime
as a nonce to prevent replay attacks (only one request per timestamp per
key ID w/ a particular message digest hash).

So, if the client is limited to second precision in timestamps, then
they may only make one request w/ the same exact content per second. If
there is a botnet that shares the same exact key and only has second
resolution on the timestamps, then that botnet may only do one
transaction w/ a specific message digest hash per second.

We are still considering supporting HTTP nonces since that has a client
counter included, which wouldn't limit the botnet specified above since
each bot would have it's own client nonce that's included in the
request. That said, it's unlikely that a client would not have access to
millisecond precision timestamps /and/ need to process the exact same
message more than one per second /and/ not be able to assign a different
key for each different bot in a cluster.

If anyone could think of a likely use case where this approach doesn't
work, we'd love to hear about it.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Worlds First Web Payments Workshop
http://www.w3.org/2013/10/payments/

Received on Saturday, 8 February 2014 02:28:46 UTC