Replaying and server side caching.
Nicolas Williams
Nicolas.Williams at sun.com
Fri Apr 11 14:10:51 EDT 2003
On Fri, Apr 11, 2003 at 12:21:44PM -0500, Jacques A. Vidrine wrote:
> On Fri, Apr 11, 2003 at 09:41:22AM -0700, Nicolas Williams wrote:
> > Though I suppose that it might be easier to mount a dictionary attack
> > against an AS-REP's enc-part than against a pa-enc-timestamp. Is it?
>
> No. They are both quite easy due to ASN.1 encoding regularities.
> In the first 16 bytes of either, much of the content is known or
> trivially recognizable. The PA-ENC-TIMESTAMP content is mostly known
> except for perhaps the hour/minute/seconds part. For example,
I did say "might" - I hadn't sat down to look at how much known
plaintext there might be in each of those two items. Thanks for
pointing out the known plaintext due to the encoding. There sure is
plenty.
I think the conclusion is clear: it's ok for the KDC to respond to
replayed requests with the original responses.
Cheers,
Nico
--
More information about the krbdev
mailing list