API for verifying authenticator checksum?

Greg Hudson ghudson at mit.edu
Mon Dec 1 10:47:19 EST 2014

On 12/01/2014 03:03 AM, Peter Mogensen wrote:
>> Be aware that integrity-protecting application data using the
>> authenticator  checksum increases a protocol's dependency on the replay
>> cache, which is inherently imperfect.

> This seems counter-intuitive to me.

The more robust alternative is to do mutual authentication, wait for the
AP-REP, and send the payload encrypted or checksummed in the acceptor
subkey.  This is what a GSSAPI application would do if a modern enctype
is used.  (Well, assuming the application doesn't use prot_ready.)

I wasn't suggesting simply trusting the payload without integrity

> Or at least... the purpose would not be to integrity-protect the
> application data, but rather to bind the authenticator to the specific
> user-data to not let it be used with other user-data payloads.
> At least for user-data with idempotent or otherwise only-valid-once
> semantics, this would reduce the need for a replay cache.

I don't think idempotence is sufficient.  A payload of "set bank account
balance to $100" is idempotent, but you don't want an attacker to be
able to replay that message after a different payload changed the balance.

But yes, for a certain subset of application payloads, replays are not
an issue, and 0-RTT integrity protection is workable without a perfect
replay cache.

More information about the Kerberos mailing list