2

When an HTTPS conversation is initiated, a random number is generated to create a key for the exchange (or something like that). What I don't understand is how this prevents replay attacks.

Why can't an attacker just repeat all the requests that the real client made?

This answer claims it isn't possible, while this answer claims the opposite. I can't see how an attack wouldn't be possible, unless there were nonces involved.

4

1 回答 1

4

答案就在这里,由@Emirikol 提供:https ://softwareengineering.stackexchange.com/a/194668/245162

如果根据 RFC 2246 部分 F.2 将服务器配置为仅允许 TLS 协议,则 HTTPS 足以保护服务器免受重放攻击(同一消息被发送两次)。

这是通过使用消息验证码 (MAC) 来完成的。

另请参阅:https ://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake_in_detail

于 2017-07-31T02:50:23.483 回答