javasecurityjwtjwe

How to prevent replay attacks when using token based authentification in an HTTP connection


How can I prevent replay attacks and add another layer of encryption to my application when using token based authentication ex: JSON Web authentication?


Solution

  • If you want to protect your application authentication from replay attacks, you can include a nonce (jti), expiration time (exp), and issued time (iat).

    For more information see the spec.

    A bit more details.

    A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. [wikipedia]

    So, if you are using a nonce the data can only be transmitted once therefore no re-transmission is possible. This prevents the classical replay attack.

    To avoid delayed attacks the expiration time and issued time is used. This attack includes not only capturing the data traffic but also to interrupt the traffic of the victim. And interrupting the traffic takes time.

    Sure, using the expiration time and the issued time is not a 100 percent solution but if you choose the values wisely you are minimizing the risk.