From the course: Threat Modeling: Tampering in Depth
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Replay and reflection
From the course: Threat Modeling: Tampering in Depth
Replay and reflection
- [Instructor] I can also tamper with the data flow by replaying messages. And holy cow. They're signed, so they must be authentic. Do you think that's enough? I'll send a lot of signed messages to your bank, saying please pay Adam $1,000. Thank you. That's why checks have sequence numbers on them. And that's a good lesson for you in replay attacks. When they're tampering with the channel, but not the message. I can also reflect messages. That is, send them back to their sender. If your code simply checks for a signature like this, then that code will accept messages signed by you. And once again, I laugh all the way to the bank. Or, maybe the courthouse. Don't try this with checks or any system with checks and balances. I can cause collisions by sending a bunch of fake messages. If the sequence numbers get updated at the wrong place in the code, then the receiver may be confused about which sequence numbers might…