GSSAPI security for connection encryption
Ken Raeburn
raeburn at MIT.EDU
Wed Aug 18 15:42:41 EDT 2004
On Aug 18, 2004, at 06:52, Markus Moeller wrote:
> If I want to secure a connection between a client and a server with
> gssapi. I
> have to cut the data into blocks to fit into the buffers used by
> gss_wrap and
> gss_unwrap. Is there any check that these blocks are send in the right
> order and
> not tampered with. As far as I understand it each block is protected,
> but not the
> sequence of the blocks.
>
> Does this mean gssapi encryption on connections is flawed ?
No, GSSAPI mechanisms can provide sequencing checks, although they
aren't required to. (Kerberos can provide it.) Look at the req_flags
and ret_flags arguments to gss_init_sec_context.
Ken
More information about the Kerberos
mailing list