GSSAPI security for connection encryption

Ken Raeburn raeburn at MIT.EDU
Wed Aug 18 15:42:41 EDT 2004


On Aug 18, 2004, at 06:52, Markus Moeller wrote:
> If I want to secure a connection between a client and a server with 
> gssapi. I
> have to cut the data into blocks to fit into the buffers used by 
> gss_wrap and
> gss_unwrap. Is there any check that these blocks are send in the right 
> order and
> not tampered with. As far as I understand it each block is protected, 
> but not the
> sequence of the blocks.
>
> Does this mean gssapi encryption on connections is flawed ?

No, GSSAPI mechanisms can provide sequencing checks, although they 
aren't required to.  (Kerberos can provide it.)  Look at the req_flags 
and ret_flags arguments to gss_init_sec_context.

Ken



More information about the Kerberos mailing list