[1366] in Kerberos_V5_Development
Re: kdc performance and rcache
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Jul 1 15:03:01 1996
To: Ken Raeburn <raeburn@cygnus.com>
Cc: Sam Hartman <hartmans@MIT.EDU>, krbdev@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 01 Jul 1996 15:02:23 -0400
In-Reply-To: Ken Raeburn's message of 29 Jun 1996 17:55:05 -0400
>>>>> "Ken" == Ken Raeburn <raeburn@cygnus.com> writes:
Ken> Sam Hartman <hartmans@mit.edu> writes:
>> but there is some concern about a potential for a known
>> plaintext attack by having the kdc respond multiple times to a
>> particular TGS request.
Ken> I'd be interested in hearing more details on this. If it
Ken> really is a problem, we can just use a better cache
Ken> structure.
>> issue, but it is important to at least realize that clients do
>> assume that the KDC will look up their requests in the replay
>> cache and resend the same response if packets are lost, etc.
Ken> Um, I really hope not. Why should the client require that
Ken> all responses be identical, as long as one gets through that
Ken> works?
That is fine, but the clients will break if lost packets can
cause a replay error if the KDC gets the request but the client
doesn't get the response.
