review of Projects/replay_cache_collision_avoidance, ending Jan. 12

Greg Hudson ghudson at MIT.EDU
Mon Dec 29 02:42:04 EST 2008

On Mon, 2008-12-29 at 00:13 -0500, Tom Yu wrote:
> I will try to dig up records of those discussions, but a pointer would
> be helpful.

I found:

These posts from Sam are particularly relevant:

The conversation picks up again in 2008:

I'm not finding any piece of discussion specifically connecting the dots
between "maybe an attacker can perturb the authenticator a little bit
and change its hash without invalidating it" and "we should store the
authenticator".  In fact, Sam seemed to be arguing simply for hashing
the decrypted authenticator rather than its encrypted form.

More information about the krbdev mailing list