[16878] in Kerberos_V5_Development
Re: Authdata, preauth plugin headers
daemon@ATHENA.MIT.EDU (Dmitri Pal)
Tue Jun 14 17:24:38 2011
Message-ID: <4DF64880.8000409@redhat.com>
Date: Mon, 13 Jun 2011 13:27:28 -0400
From: Dmitri Pal <dpal@redhat.com>
MIME-Version: 1.0
To: krbdev@mit.edu
In-Reply-To: <4DF6437B.1090100@lsexperts.de>
Reply-To: dpal@redhat.com
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 06/13/2011 01:06 PM, Cornelius Kölbel wrote:
> This depends on the otp backend.
> A time based otp value is valid during a time window of usually 30 or 60
> seconds.
>
> The backend can store the last used timebased counter.
> Thus the decent backend of course invalidates the otp value from this
> window, when it was used.
> i.e. the user can not authenticate within the next 29 seconds.
This is called high water mark. The last used interval number is in fact
stored and replicated to all other servers.
> Kind regards
> Cornelius
>
> Am 13.06.2011 18:25, schrieb Russ Allbery:
>> Linus Nordberg <linus@nordu.net> writes:
>>
>>> What kind of OTP systems are vulnerable to replay attacks?
>> TOTP is, isn't it? Time-based OTP doesn't, so far as I understand it,
>> store a sequence number, so there isn't a non-time way of invalidating
>> used codes.
>>
>
>
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
