Projects/replay_cache_collision_avoidance and replay cache uses

Greg Hudson ghudson at MIT.EDU
Mon Jan 5 16:11:23 EST 2009

On Mon, 2009-01-05 at 16:00 -0500, ghudson at MIT.EDU wrote:
> In the process of preparing to implement
> Projects/replay_cache_collision_avoidance I noticed that we don't just
> use the replay cache for received authenticators.  The full range of
> uses are:
>   * krb5_rd_req (the basic authenticator case)
>   * krb5_mk_priv/krb5_rd_priv
>   * krb5_mk_safe/krb5_rd_safe
>   * verify_sam_response (KDC preauth)

I failed to list:

  * krb5_mk_cred/krb5_rd_cred

For these uses, my plan is to hash the ciphertext of the encrypted part
of the KRB_CRED message, as passed to krb5_c_decrypt.  However, in some
cases decryption does not occur during krb5_rd_cred, so I need to
understand that case better.

More information about the krbdev mailing list