[krbdev.mit.edu #8681] False-positive replays in {mk, rd}_{cred, safe, priv}
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Thu May 10 22:05:25 EDT 2018
I believe this problem applies to the replay records created by
krb5_mk_cred, krb5_rd_cred, krb5_mk_safe, krb5_rd_safe, krb5_mk_priv,
and krb5_rd_priv.
Mixing in the client name would not entirely fix the problem. Multiple
agents of the same client could create messages at the same time. For
AP exchanges, we found a way to add a hash of the encrypted
authenticator to the replay record. That should also work for _cred
and _priv, though not necessarily _safe as there is no confounder to
make the messages unique.
More information about the krb5-bugs
mailing list