Replay Protection
Every INK message MUST include:
nonce: A base64url-encoded random value, 16 to 256 characters. 22 characters (128 bits) is the recommended minimum; conforming receivers MUST accept any length in that range.timestamp: ISO 8601 UTC timestamp.
Validation Rules
Receiving agents MUST:
- Reject messages with timestamps older than 5 minutes from the receiver’s clock.
- Reject messages with timestamps in the future by more than 30 seconds.
- Track seen
(sender, nonce)pairs and reject duplicates for at least the timestamp window. A 10-minute retention window is recommended so a nonce stays tracked after its timestamp expires.
Nonce storage is the integrator’s responsibility. The library
exposes a checkReplay() primitive that decides whether a single
(timestamp, nonce) pair is fresh given a caller-supplied seen-nonce set; the
caller owns the cache and its TTL.
Rationale
The 5-minute window accommodates reasonable clock skew between agents while limiting the replay attack surface. The 30-second future tolerance prevents rejection of messages from slightly fast clocks.
The recommended 10-minute nonce-retention window is intentionally larger than the timestamp window so a nonce is still tracked after the timestamp becomes invalid, preventing an edge case where a message’s timestamp expires but its nonce is purged from tracking, potentially allowing re-acceptance with a fresh timestamp.