[16944] in Kerberos_V5_Development
Re: FAST cookies
daemon@ATHENA.MIT.EDU (Linus Nordberg)
Wed Jun 29 09:54:45 2011
To: krbdev@mit.edu
From: Linus Nordberg <linus@nordu.net>
Date: Wed, 29 Jun 2011 15:53:33 +0200
Message-ID: <87aad0bv6q.fsf@nordberg.se>
Mime-Version: 1.0
X-Complaints-To: usenet@dough.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Greg Hudson <ghudson@MIT.EDU> wrote
Mon, 27 Jun 2011 12:07:37 -0400:
| * A preauth system's verify_padata function gets the unpacked cookie
| value corresponding to its pa type as input, or a null value if there
| isn't one.
OK.
| * A preauth system's return_padata function can provide a cookie value
| which is packed into the inner sequence. If no preauth systems supply
| cookies, we send an old-style "MIT" cookie in order to save space and
| processing time.
In order to add a cookie to a PA-OTP-CHALLENGE, we need to be able to
do this in the edata function too.
| What is the appropriate allowable time skew for a cookie? Clock skew is
| not a factor (except when the KDC's clock changes, which hopefully only
| happens in tiny increments), but the client may have asked the user for
| input, which could take an arbitrary amount of time.
|
| A cookie could be replayed within the time window, by someone who knows
| the armor key of a previous exchange. Is this a problem for OTP? I
| think I still need to do more review before I know the answer to that.
I'm unsure about this. I'll try to find out.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
