← Concepts
Threats, Vulnerabilities, and MitigationsSY0-701 · Task 2.4

Replay and credential replay attacks — SY0-701

Master replay and credential replay attacks for CompTIA Security+ SY0-701: definitions, how they differ from MitM, and what countermeasures the exam tests.

WHAT IT IS

A replay attack is an attack that involves the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access (CNSSI 4009-2015, via NIST CSRC Glossary). In the digital identity context, NIST SP 800-63-4 further specifies it as an attack in which the attacker is able to replay previously captured messages between a legitimate claimant and a verifier to masquerade as that claimant to the verifier, or vice versa.

A credential replay attack is the same mechanism applied specifically to authentication credentials — the attacker captures the data structure or object that binds a subscriber's identity to an authenticator (NIST SP 800-63-4 definition of "credential") and retransmits it to impersonate that subscriber, without ever needing to know the underlying secret.

Mental model

Think of authentication as a handshake that proves you possess and control an authenticator (NIST SP 800-63-4). A replay attack does not crack that possession — it photographs the handshake and replays the photograph later. The verifier sees what looks like a valid handshake and cannot distinguish it from the real thing unless the protocol is designed to detect reuse.

The claimant's secret is never exposed. The attacker wins by reusing a legitimate, previously transmitted message.

When to use it

Candidates are most often asked to distinguish a replay attack from a man-in-the-middle (MitM) attack. The table below uses only NIST-grounded attributes.

AttributeReplay attackMan-in-the-middle (MitM) attack
Attacker timingCaptures first, acts later (two phases)Positioned during the live exchange (one continuous phase)
GoalRetransmit previously captured data to gain unauthorized access (CNSSI 4009-2015)Intercept and selectively modify data to masquerade as one or more parties (CNSSI 4009-2015)
Modification required?No — the captured message is retransmitted as-isYes — the attacker intercepts and selectively modifies communicated data (CNSSI 4009-2015)
Live presence required?No — attacker is absent during the legitimate sessionYes — attacker must be positioned between the parties during communication (NIST SP 1800-21B)
Primary countermeasureNonces, timestamps, sequence numbers — values that are never repeated with the same key (NIST SP 800-63-4)Mutual authentication, certificate validation

COMMON MISCONCEPTION

"A replay attack requires the attacker to know the victim's password or secret."

This is incorrect. NIST SP 800-63-4 defines authentication as the process by which a claimant proves possession and control of authenticators. A replay attack bypasses that proof entirely — the attacker retransmits the evidence of possession (the transmitted authenticator message or credential token), not the underlying secret. The attacker never learns the password; they reuse the proof the password produced. This is why replay-resistant protocols must use values that are never repeated with the same key (NIST SP 800-63-4 definition of "nonce") rather than simply stronger encryption of the secret.

A related misconception is that encrypting credentials prevents replay. Encryption protects confidentiality in transit, but if the attacker captures and retransmits the encrypted message without modification, the verifier may still accept it. Replay resistance requires the protocol to reject previously seen values — encryption alone does not achieve this.

How it shows up on the exam

The cognitive target is apply — scenarios present a described attack and ask candidates to name it, or present a proposed control and ask whether it mitigates replay. Signal phrases to recognize:

  • "captured authentication data" / "intercepted login token"
  • "retransmitted" / "reused" credential or session token
  • "attacker did not need the password" or "password was never exposed"
  • "nonce" / "timestamp" / "sequence number" as a proposed fix

Candidates often confuse replay with MitM because both involve intercepted messages. The distinguishing factor grounded in NIST definitions is timing and modification: replay is a two-phase, non-modifying reuse of captured data; MitM is a live, modification-capable interposition. When a scenario describes an attacker who was present during the original exchange and altered the data, that points away from a pure replay attack.

A common misconception — that stronger encryption on the credential token prevents replay — may appear as a plausible-but-incorrect control option. The NIST nonce definition (NIST SP 800-44 v2: "a randomly generated value used to defeat 'playback' attacks") and the SP 800-63-4 nonce definition ground why replay resistance requires non-repeating values, not just confidentiality.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.