How can I prevent replay attacks and add another layer of encryption to my application when using token based authentication ex: JSON Web authentication?
For more information see the spec.
A bit more details.
A replay attack (also known as playback attack) is a form of network
attack in which a valid data transmission is maliciously or
fraudulently repeated or delayed. [wikipedia]
So, if you are using a nonce the data can only be transmitted once therefore no re-transmission is possible. This prevents the classical replay attack.
To avoid delayed attacks the expiration time and issued time is used. This attack includes not only capturing the data traffic but also to interrupt the traffic of the victim. And interrupting the traffic takes time.
Sure, using the expiration time and the issued time is not a 100 percent solution but if you choose the values wisely you are minimizing the risk.
Answered By – Paul Wasilewski
Answer Checked By – Candace Johnson (Easybugfix Volunteer)