open-source cryptocard libraries
Ken Hornstein
kenh at cmf.nrl.navy.mil
Sun Jan 21 18:30:09 EST 2007
> So, we use Cryptocard here (no secret), and we have two KDCs. What do
> we do about it? Nothing.
>
>If I implemented KB-1 cryptocard support with no updates of the seed
>value, and posted the code, I'd expect someone to publish a
>timing/replay attack based on talking to the slave KDC(s) within about 6
>months.
And how would the attacker know what the old cryptocard response is?
Assuming the protocol is done correctly (e.g., you're using the
existing hardware preauth protocol) and the attacker hasn't
compromised the client machine (in which case all bets are off),
a replay against a slave KDC should not be possible.
--Ken
More information about the krbdev
mailing list