API for verifying authenticator checksum?
apm at one.com
Mon Dec 1 03:03:55 EST 2014
On 2014-12-01 07:00, Greg Hudson wrote:
> On 11/27/2014 02:34 AM, Peter Mogensen wrote:
>> I was looking at libkrb5 for the public API mirroring "in_data" in
> I have noticed myself the asymmetry between mk_req taking application
> data to checksum and rd_req not taking any to verify.
It seems IBM has a variant of krb5_rd_req() which does verify:
> Be aware that integrity-protecting application data using the
> authenticator checksum increases a protocol's dependency on the replay
> cache, which is inherently imperfect.
This seems counter-intuitive to me.
Or at least... the purpose would not be to integrity-protect the
application data, but rather to bind the authenticator to the specific
user-data to not let it be used with other user-data payloads.
At least for user-data with idempotent or otherwise only-valid-once
semantics, this would reduce the need for a replay cache.
Am I missing something?
More information about the Kerberos