API for verifying authenticator checksum?
Peter Mogensen
apm at one.com
Mon Dec 1 03:03:55 EST 2014
On 2014-12-01 07:00, Greg Hudson wrote:
> On 11/27/2014 02:34 AM, Peter Mogensen wrote:
>> I was looking at libkrb5 for the public API mirroring "in_data" in
>> krb5_mk_req()
>> http://web.mit.edu/kerberos/krb5-current/doc/appdev/refs/api/krb5_mk_req.html
>
> I have noticed myself the asymmetry between mk_req taking application
> data to checksum and rd_req not taking any to verify.
It seems IBM has a variant of krb5_rd_req() which does verify:
http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.euvfb00/rqvfy.htm
> Be aware that integrity-protecting application data using the
> authenticator checksum increases a protocol's dependency on the replay
> cache, which is inherently imperfect.
This seems counter-intuitive to me.
Or at least... the purpose would not be to integrity-protect the
application data, but rather to bind the authenticator to the specific
user-data to not let it be used with other user-data payloads.
At least for user-data with idempotent or otherwise only-valid-once
semantics, this would reduce the need for a replay cache.
Am I missing something?
/Peter
More information about the Kerberos
mailing list