In section 10.6. (Replay Attack Detection) the current description is incorrect #164
Description
The text states:
To limit the size of the data structure, the Authorization Server
should use a sliding window, allowing Client Attestation PoPs
within a certain time window, in which the seen challenge or jti
values are stored, but discarded afterwards. (...)These data structures need to:
search the data structure to validate whether a challenge form a
Client Attestation PoP has been previously seeninsert the new challenges from the Client Attestation PoP if the
search returned no resultdelete the challenges after the Client Attestation PoP has passed
the sliding time window
First comment: the iat field from the received should first be tested and if it falls outside the time window, the verification process fails.
Second comment: the case of jti is not addressed. The words "or jti" should be removed. For replay detection, the management of challenges and of jti are quite different. These two cases should be addressed separately.
Third comment: the sentence "These data structures need to (...) search, insert or delete" is incorrect. A process can search, insert or delete, but "data structures" can't do it.
Fourth comment: What are "these data structures" ? They are not described. It is believed that these data structure should be composed of an array with two columns: "iat" and "challenge".
Fifth comment: The actual description is incorrect. "search the data structure to validate whether a challenge form a Client Attestation PoP has been previously seen". The list does not contain "previously seen" challenges but "previously generated" challenges. It is likely that this writing is the result of the willingness to address challenge and jti in a same paragraph, which is not possible.
"If the search returned no result" the treatment looks odd: "insert the new challenges (s?!?)from the Client Attestation PoP". The insertion should only be done once the Client Attestation PoK has passed other checks. It is again likely that this writing is the result of the willingness to address challenge and jti in a same paragraph, which is not possible.
For challenges, when the search is unsuccessful, the treatment is indicated in the next sentence:
- insert the new challenges from the Client Attestation PoP if the
search returned no result
This treatment is incorrect. Challenges are never inserted using challenges contained in the Client Attestation PoK.
Sixth comment: The treatment will be different whether the challenge has been provided using a challenge endpoint or within the session with the client.
The use of a challenge endpoint mandates the use of a single list for all current and incoming sessions, while the use of a list per session allows to split the list into small parts. Looking into small parts of a list is more efficient than looking into a single large list.
Trie (also called prefix tree), or a patricia trie (also called radix tree) are not needed when using many small lists. It remains to be demonstrate that they are effective when using a single list where challenges are large random numbers.
When using challenges, I would NOT RECOMMEND the use of a single list.
However, when using jti, a single list MUST be used.
The whole section would need to be rewritten.