[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Replay attacks and ISP business models

To: John Levine <johnl@xxxxxxxx>
Subject: Re: Replay attacks and ISP business models
From: Andrew Newton <andy@xxxxxx>
Date: Sat, 6 Aug 2005 02:31:38 -0400
Cc: ietf-mailsig@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-mailsig/mail-archive/>
List-id: <ietf-mailsig.imc.org>
List-unsubscribe: <mailto:ietf-mailsig-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-mailsig@xxxxxxxxxxxx

On Aug 5, 2005, at 9:11 PM, John Levine wrote:

It almost seems that replay can be detected just by monitoring the
number of queries against a user key.


Only if you know in advance how many times a message will legitimately
be delivered

Or if you see that a particular user key is being queries a million times while most user keys are only queried hundreds of times in a certain time period, that might be a clue that something is up.

and can see through the recipients' DNS caches to know
how many times a key was fetched, neither of which seems very likely.

That all depends on how far and wide the replay is being used. But this is why I also added "This would be especially true if the other key retrieval methods are used for user keying."

Before we can describe a replay defense, the people who are concerned
about replay need to define what replay means, i.e., what's the
technical difference between a replay and a valid delivery.  The
definition can't require knowledge of people's mental states.

You don't like the description of replay attacks in Section 9.5 of DKIM-base?

-andy

Follow-Ups:
- Re: Replay attacks and ISP business models
  - From: John R Levine

References:
- Re: Replay attacks and ISP business models
  - From: John Levine

Prev by Date: Re: Replay attacks and ISP business models
Next by Date: Re: MASS/DKIM BOF Summary
Previous by thread: Re: Replay attacks and ISP business models
Next by thread: Re: Replay attacks and ISP business models
Index(es):
- Date
- Thread