Replaying and server side caching.

Darren Reed (OSE) darrenr at
Thu Apr 10 23:17:34 EDT 2003

> From: Marcus Watts
> I'm not sure I understand what security advantage there is to not
> replying to a duplicated request with the same response.  It's just the
> same packet over again -- what new thing does an attacker learn he
> didn't know the first time?  If it is a problem, then having the KDC
> refuse to send duplicated responses doesn't fix anything, since the
> attacker could still duplicate and return extra responses.

If the attacker can re-use a TGT request that has already been sent to
cause a valid TGT response to come back, then the attacker can gain
access where perhaps they previously could not.


More information about the krbdev mailing list