practical security ramifications of increasing WCF clock skew to more than an hour
- by Andrew Patterson
I have written a WCF service that returns 'semi-private' data concerning peoples name, addresses and phone numbers. By semi-private, I mean that there is a username and
password to access the data, and the data is meant to be secured in transit. However,
IMHO noone is going to expend any energy trying to obtain the data, as it is mostly available
in the public phone book anyway etc. At some level, the security is a bit of security 'theatre' to tick some boxes imposed on us by government entities.
The client end of the service is an application which is given out to registered
'users' to run within their own IT setups. We have no control over the IT
of the users - and in fact they often tell us to 'go jump' if we put too many
requirements on their systems.
One problem we have been encountering is numerous users that have system clocks
that are not accurate. This can either be caused by a genuine slow/fast clocks, or
more than likely a timezone or daylight savings zone error (putting their
machine an hour off the 'real' time). A feature of the WCF bindings we are
using is that they rely on the notion of time to detect replay attacks etc.
<wsHttpBinding>
<binding name="normalWsBinding" maxBufferPoolSize="524288" maxReceivedMessageSize="655360">
<reliableSession enabled="false" />
<security mode="Message">
<message clientCredentialType="UserName" negotiateServiceCredential="false"
algorithmSuite="Default" establishSecurityContext="false" />
</security>
</binding>
</wsHttpBinding>
The inaccurate client clocks cause security exceptions to be thrown and
unhappy users.
Other than suggesting users correct their clocks, we know that we can
increase the clock skew of the security bindings.
http://www.danrigsby.com/blog/index.php/2008/08/26/changing-the-default-clock-skew-in-wcf/
My question is, what are the real practical security ramifications of
increasing the skew to say 2 hours? If an attacker can perform some
sort of replay attack, why would a clock skew window of 5 minutes
be necessarily safer than 2 hours? I presume performing any
attack with security mode of 'message' requires more than just
capturing some data at a proxy and sending the data back in again
to 'replay' the call? In a situation like mine where data is
only 'read' by the users, are there indeed any security ramifications
at all to allowing 'replay' attacks?