[16010] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8681] False-positive replays in {mk, rd}_{cred, safe,

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Thu May 10 22:05:33 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8681@krbdev.mit.edu>
Message-ID: <rt-8681-48546.12.3501591250115@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8681'":;
Date: Thu, 10 May 2018 22:05:25 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

I believe this problem applies to the replay records created by 
krb5_mk_cred, krb5_rd_cred, krb5_mk_safe, krb5_rd_safe, krb5_mk_priv, 
and krb5_rd_priv.

Mixing in the client name would not entirely fix the problem.  Multiple 
agents of the same client could create messages at the same time.  For 
AP exchanges, we found a way to add a hash of the encrypted 
authenticator to the replay record.  That should also work for _cred 
and _priv, though not necessarily _safe as there is no confounder to 
make the messages unique.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home help back first fref pref prev next nref lref last post