Decrypt integrity check failed after sending several correct messages

Jose Miguel Such jsuch at
Mon Feb 11 06:08:04 EST 2008


I'm kerberizing a distributed application using the GSS-API and Kerberos 
version 1.6.1. 

It consists of several processes running on several hosts. There are two kind 
of processes: sender processes and receiver processes. The application works 
as follows: processes are grouped as pair of processes so that a sender 
process and a receiver process exchange a fixed number of encrypted messages 
(currently 1000). 

The point is that when a lot of process pairs are running (more than 700, i.e, 
1400 processes) there is always a random pair (or more than one) that fails.
After exchanging (and also encrypting and decrypting) some messages one of the 
agents that are part of that pair fails when trying to decrypt the message 
received, but it has decrypted all the previous messages without errors.

The failure is allways the same, when i call to gss_unwrap to decrypt the 
message i get these errors:

Major status: A token had an invalid Message Integrity Check (MIC)
Minor status: Decrypt integrity check failed

The problem is solved if i retry to call gss_unwrap with the same message 
after waiting for 10 or 20 milliseconds once it has failed for the first 

Is there anyone knowing what happens? Could i avoid waiting and retrying 

Jose M. Such

More information about the krbdev mailing list