I am trying to understand the concept of timestamps in request headers in web services but somehow still can't understand fully how it works.
I would appreciate it if someone can explain the end-to-end use of timestamps in request and response of web services.
Is it really a foolproof method of preventing replay attacks?
A timestamp by itself wouldn't be sufficient, but usually it is combined with a hashing mechanism to guarantee that the values haven't been tampered with.
The idea is that the client generates the parameters, and uses their private key to hash the parameters. The [hash + original values + public key] are then sent with the request. The server can use the public key to look up the private key, and ensure that the parameters are correct.
The timestamp is used, along with some threshold, to ensure that particular request can't be used more than once. If the threshold is small (a few hundred milliseconds) then a replay attack is virtually impossible.
Timestamp is not encrypted and it should be in soap header.
<wsu:Timestamp wsu:Id="timestamp">
<wsu:Created>2014-07-01T11:30:28.123+05:30</wsu:Created>
<wsu:Expires>2014-07-01T11:35:28.123+05:30</wsu:Expires>
</wsu:Timestamp>
If expires time is little after Created time, it can minimize replay attack. Actually it is not just the timestamp. You should add digest of timestamp to SignedInfo section.
<ds:Reference URI="#timestamp">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="wsse soap" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>TGgFBvglhb+jZCvjV0+oVnNaivpVBp5iVbJEqkTfaCU=</ds:DigestValue>
</ds:Reference>
So at the server side these digests must match. Even that is not all, then you sign whole signedInfo with private key and add signature value to Signature element as following.
<ds:SignatureValue>jdO5GIZ9v1VTngFZcMpz5hz62RwToq2W24A9KhJ5JNySZW1AHhd3s+eTduZZPD0Ok6Wtgzu5kquK
IinPdi5IbGjlg6mXGDbVkLd79RBdnbzFxsJFBtRr9r3mQZp9xfU7zSJW3kbizz6Jjk3h+S2nNbUu
f7rFrNN53ciRtj9RlKzQzmW7BDaFuq18DUfcr70muSkmd4DIqxYDGScjEjgIqLE2pYwIdDDRUGPD
MuwuIN3DgB051QwcE75SVrKBKsTHmFADmN3nKzmQ/JUQuLot0vW6WUFRMLVlAcl5C09SGPOcpow2
kjbuWx/bI7Aj4nAaAnmAYsWKIA3xVao+nPBOWmM0Lg7kpC4Dr5DwahmjH0/78aVUU23DEiMc0kR0
YDg5CxD8MUuj24w8tAjuzoHrvcsIYw+vWCTKvucnXwTlZ+K3QFB6gkct2zVOyQeYaPpkAnmPYS3W
DDpNmsx3lDcNr+5QWTsUbSQaFDddjHT/zoOJ8+iZKY/RujOI5vfXVwgN</ds:SignatureValue>
Now we can make sure that replay attacks are not possible. Since anyone else cannot have the same private key and so there is no way to alter timestamps and still have a valid signature.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 别忘想泡老子 的文章《How does Timestamp helps in preventing Replay Atta》','https://www.manongdao.com/article-349776.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}