jnugh
NNovu
•Created by jnugh on 1/29/2024 in #💬│support
How to prevent HMAC replay in Websockets
Let’s say there is a user A who uses our service. User A gets compromised somehow maybe a cross site scripting in our app or malware on the users computer (or anything else). Now an attacker knows the subscriber is and the MAC that has been generated using the secret and the subscriber id. The only way to restore the users security would be to rotate the secret which would be the API key. This is shared across all users so changing the api key would invalidate all other users jamb. It would also require a config change on our backend system.
This is why MACs are often designed to be non replayable - an old MAC can not be used to access the same resource again. So after the user account has been secured the old HMAC does not give the attacker access to new notifications.
This is often done by adding a timestamp to the HMAC, compare the timestamp with the current time and only validate the HMAC if it was created recently. We use a token based system where an access token is only valid for a few minutes and refresh tokens can be invalidated. Having a replayable HMAC for authentication without other revocation methods would lead to a subsystem that is less secure.
4 replies