[4542] in Kerberos
Re: Interoperability questions regarding the Kerberos GSS-API Mechanism
daemon@ATHENA.MIT.EDU (Jim Miller)
Wed Feb 1 15:30:04 1995
From: jim@bilbo.suite.com (Jim Miller)
Date: Wed, 1 Feb 95 14:12:08 -0600
To: Danny.Nessett@eng.sun.com (Dan Nessett)
Cc: kerberos@MIT.EDU
Reply-To: Jim_Miller@suite.com
Dan Nessett writes:
> It is the sequence number checks that will not work with
> multi-threading.
>
I agree. The sequence number feature is too simple. One idea I've been
thinking about would be to treat the sequence numbers more like
timestamps. Each ticket could contain a set of "sequence" numbers (maybe
as an initial random number and a count, or perhaps as a set of discrete
random numbers) to use when securing messages via that ticket. This set
would be known to both the client and the destination server. The
destination server would save replay records just as it does for
timestamped message, only these replay records would contain the
"sequence" numbers rather than timestamps. The replay detection logic
would have to be modified to not only compare the sequence numbers present
in messages with those in replay records, but would also be smart enough
to know which sequence number belongs to which ticket/set. It would take
some doing, but it should be possible, after all, the destination server
knows which ticket was used to secure the message.
Jim_Miller@suite.com
