2.4.3 Replay Attacks

Notice how the man-in-the-middle made recordings of the network traffic. Some of the most important items that can be captured are usernames and passwords. These can be used to log onto other networks, or onto different resources. It is not necessary to set up a full-blown man-in-the-middle attack to capture these, however. Any keystroke logger or network monitor can record what passes it on the network, or what is keyed in on the keyboard. It is possible for an attacker to lurk on the network or in the computer where you were detected, and then store the captured data. Later, the attacker plays back the log in sequence used, gaining access just as the user did.

Replay Defense

The defense against replay attacks involves changing from static passwords, to one-time passwords. A one-time password can be chosen from a list of list of passwords on a rotating basis, or it can be generated especially for the occasion. A password that has a time stamp is an example of a one-time password, because every time the password is generated, the time element will be different. The server is equipped with the same algorithm to generate passwords. If it senses that an incoming password is not within acceptable limits due to being too long since the attacker sniffed it out, it will reject the connection.

Many organizations issue a special token card to users who require secure access. Some of these token cards resemble a small pocket calculator. They display a unique password when the user enters a Personal Identification Number (PIN). The server is equipped with the same software that drives the token, and expects the password to be the same. The combination of having the token, plus knowing the PIN, increases security. Other tokens work by plugging directly into the computer and having the user enter the PIN as part of the logon process.