Replaying and server side caching.
Darren Reed (OSE)
darrenr at optimation.com.au
Thu Apr 10 23:17:34 EDT 2003
> From: Marcus Watts
[...]
> I'm not sure I understand what security advantage there is to not
> replying to a duplicated request with the same response. It's just the
> same packet over again -- what new thing does an attacker learn he
> didn't know the first time? If it is a problem, then having the KDC
> refuse to send duplicated responses doesn't fix anything, since the
> attacker could still duplicate and return extra responses.
If the attacker can re-use a TGT request that has already been sent to
cause a valid TGT response to come back, then the attacker can gain
access where perhaps they previously could not.
Darren
More information about the krbdev
mailing list