How to: Enable Message Replay Detection

A replay attack occurs when an attacker copies a stream of messages between two parties and replays the stream to one or more of the parties. Unless mitigated, the computers subject to the attack will process the stream as legitimate messages, resulting in a range of bad consequences, such as redundant orders of an item.

For more information about message replay detection, see Message Replay Detection.

The following procedure demonstrates various properties that you can use to control replay detection using Windows Communication Foundation (WCF).

To control replay detection on the client using code

1. Create a SecurityBindingElement to use in a CustomBinding. For more information, see How to: Create a Custom Binding Using the SecurityBindingElement. The following example uses a SymmetricSecurityBindingElement created with the CreateKerberosBindingElement of the SecurityBindingElement class.

2. Use the LocalClientSettings property to return a reference to the LocalClientSecuritySettings class and set any of the following properties, as appropriate:

   1. DetectReplay. A Boolean value. This governs whether the client should detect replays from the server. The default is true.

   2. MaxClockSkew. A TimeSpan value. Governs how much time skew the replay mechanism can tolerate between the client and the server. The security mechanism examines the time stamp sent and determines whether it was sent too far back in the past. The default is 5 minutes.

   3. ReplayWindow. A TimeSpan value. This governs how long a message can live in the network after the server sends it (through intermediaries) before reaching the client. The client tracks the signatures of the messages sent within the latest ReplayWindow for the purposes of replay detection.

   4. ReplayCacheSize. An integer value. The client stores the signatures of the message in a cache. This setting specifies how many signatures the cache can store. If the number of messages sent within the last replay window reaches the cache limit, new messages are rejected until the oldest cached signatures reach the time limit. The default is 500000.

To control replay detection on the service using code

1. Create a SecurityBindingElement to use in a CustomBinding.

2. Use the LocalServiceSettings property to return a reference to the LocalServiceSecuritySettings class, and set the properties as described previously.

To control replay detection in configuration for the client or service

1. Create a <customBinding>.

2. Create a <security> element.

3. Create a <localClientSettings> or <localServiceSettings>.

4. Set the following attribute values, as appropriate: detectReplays, maxClockSkew, replayWindow, and replayCacheSize. The following example sets the attributes of both a <localServiceSettings> and a <localClientSettings> element:

   <customBinding>  
     <binding name="NewBinding0">  
      <textMessageEncoding />  
       <security>  
        <localClientSettings
         replayCacheSize="800000"
         maxClockSkew="00:03:00"  
         replayWindow="00:03:00" />  
        <localServiceSettings
         replayCacheSize="800000"
         maxClockSkew="00:03:00"  
         replayWindow="00:03:00" />  
       <secureConversationBootstrap />  
      </security>  
     <httpTransport />  
    </binding>  
   </customBinding>  
   

Example

The following example creates a SymmetricSecurityBindingElement using the CreateKerberosBindingElement method, and sets the replay properties of the binding.

private SecurityBindingElement CreateSymmetricBindingForClient()
{
    SymmetricSecurityBindingElement b = SecurityBindingElement.CreateKerberosBindingElement();
    b.LocalClientSettings.DetectReplays = true;
    b.LocalClientSettings.MaxClockSkew = new TimeSpan(0, 3, 0);
    b.LocalClientSettings.ReplayWindow = new TimeSpan(0, 2, 0);
    b.LocalClientSettings.ReplayCacheSize = 10000;
    return b;
}

Private Function CreateSymmetricBindingForClient() As SecurityBindingElement
    Dim b = SecurityBindingElement.CreateKerberosBindingElement()
    With b.LocalClientSettings
        .DetectReplays = True
        .MaxClockSkew = New TimeSpan(0, 3, 0)
        .ReplayWindow = New TimeSpan(0, 2, 0)
        .ReplayCacheSize = 10000
    End With
    Return b
End Function

Scope of Replay: Message Security Only

Note that the following procedures apply only to Message security mode. For Transport and Transport with Message Credential modes, the transport mechanisms detect replays.

Secure Conversation Notes

For bindings that enable secure conversations, you can adjust these settings both for the application channel as well as for the secure conversation bootstrap binding. For example, you can turn off replays for the application channel but enable them for the bootstrap channel that establishes the secure conversation.

If you do not use secure conversation sessions, replay detection does not guarantee detecting replays in server farm scenarios and when the process is recycled. This applies to the following system-provided bindings:

• BasicHttpBinding.

• WSHttpBinding with the EstablishSecurityContext property set to false.

Compiling the Code

• The following namespaces are required to compile the code:

• System

• System.ServiceModel

• System.ServiceModel.Channels

See also

• LocalClientSecuritySettings
• LocalServiceSecuritySettings
• Secure Conversations and Secure Sessions
• <localClientSettings>
• How to: Create a Custom Binding Using the SecurityBindingElement