API for verifying authenticator checksum?

Peter Mogensen apm at one.com
Mon Dec 1 03:03:55 EST 2014

On 2014-12-01 07:00, Greg Hudson wrote:
> On 11/27/2014 02:34 AM, Peter Mogensen wrote:
>> I was looking at libkrb5 for the public API mirroring "in_data" in
>> krb5_mk_req()
>> http://web.mit.edu/kerberos/krb5-current/doc/appdev/refs/api/krb5_mk_req.html
> I have noticed myself the asymmetry between mk_req taking application
> data to checksum and rd_req not taking any to verify.

It seems IBM has a variant of krb5_rd_req() which does verify:

> Be aware that integrity-protecting application data using the
> authenticator  checksum increases a protocol's dependency on the replay
> cache, which is inherently imperfect.

This seems counter-intuitive to me.
Or at least... the purpose would not be to integrity-protect the 
application data, but rather to bind the authenticator to the specific 
user-data to not let it be used with other user-data payloads.
At least for user-data with idempotent or otherwise only-valid-once 
semantics, this would reduce the need for a replay cache.

Am I missing something?


More information about the Kerberos mailing list