Secure tokens are commonly used to enforce authentication of messages transmitted between two integrated systems. By using a secure token for authentication, integrated systems can reduce the need to exchange security credentials otherwise necessary to authenticate every call between the systems. For instance, a secure token can be included in a request by a calling system to access a particular resource through a particular endpoint of a receiving system. The request can be authenticated through analysis of the secure token included in the request rather than by requiring a less secure procedure requiring the exchange of login credentials.
However, when a secure token can be reused, there exists a possibility of a replay attack, in which a malicious party steals the secure token from examination of an authentic transmission, and then reuses the token for malicious purposes, such as to make calls to the server system for different resources from the same or a different end point. Thus, reusability of a secure token introduces some risk of a replay attack enabling a malicious user who steals the secure token to invoke functionality that he/she is not entitled to.
One possible way to overcome this vulnerability is to employ single-use tokens in place of reusable tokens. While integrated systems relying on single use tokens can theoretically avoid vulnerability to a replay attack, implementation of a system reliant on single use tokens has a drawback in that the receiving system must be able to verify whether each secure token included in a message has been used previously. This verification procedure necessarily requires the receiving system to maintain a repository of all previously used tokens, which over time becomes computationally expensive. But without resort to single-use token systems, a window will theoretically always exist during which a system is vulnerable to a replay attack. Accordingly, a need exists to increase the security of network transmissions by reducing the vulnerability to a replay attack made using a stolen secure tokens.