Skip to content

fix(auth)!: change timestamp to ms since Unix epoch for effective replay protection#58

Open
VasilevNStas wants to merge 1 commit into
APN-Network:masterfrom
VasilevNStas:29-fix/timestamp-ms
Open

fix(auth)!: change timestamp to ms since Unix epoch for effective replay protection#58
VasilevNStas wants to merge 1 commit into
APN-Network:masterfrom
VasilevNStas:29-fix/timestamp-ms

Conversation

@VasilevNStas

Copy link
Copy Markdown
Contributor

Description

Changes Auth.timestamp from uint32 (minutes since project epoch) to uint64 timestamp_ms (milliseconds since Unix epoch) for effective per-message replay protection.

Problem

The previous uint32 timestamp used minute granularity. Every Auth sent within the same 60-second window carried the identical value. With the ±1 minute acceptance window, a captured frame could be replayed for up to 119 seconds. This is not a nonce — it's a coarse time window.

Fix

Before After
uint32 timestamp = 2 uint64 timestamp_ms = 2
Minutes since 2024-01-01 UTC Milliseconds since Unix epoch
±1 minute acceptance ~1–2 second skew window
HMAC input: 4 bytes LE/BE undefined HMAC input: 8 bytes big-endian

The big-endian serialization is now explicitly specified in the HMAC comment.

Migration

Breaking wire change — the Auth frame format changes. All Nodes and clients must update simultaneously:

  • Auth field 2 wire type changes (varint fits within 1–10 bytes)
  • HMAC input length changes from 4 to 8 bytes
  • Generated code symbol changes from timestamp to timestamp_ms

Closes #29

@VasilevNStas

Copy link
Copy Markdown
Contributor Author

@yegor256 @davvd plz review this PR

@VasilevNStas
VasilevNStas force-pushed the 29-fix/timestamp-ms branch from fee2ffe to 5c1ecf5 Compare July 4, 2026 18:09
@VasilevNStas

Copy link
Copy Markdown
Contributor Author

@davvd conflicts resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Auth.timestamp minute granularity makes replay-prevention nonce ineffective

1 participant