Projects/replay_cache_collision_avoidance and replay cache uses
Greg Hudson
ghudson at MIT.EDU
Mon Jan 5 16:11:23 EST 2009
On Mon, 2009-01-05 at 16:00 -0500, ghudson at MIT.EDU wrote:
> In the process of preparing to implement
> Projects/replay_cache_collision_avoidance I noticed that we don't just
> use the replay cache for received authenticators. The full range of
> uses are:
>
> * krb5_rd_req (the basic authenticator case)
> * krb5_mk_priv/krb5_rd_priv
> * krb5_mk_safe/krb5_rd_safe
> * verify_sam_response (KDC preauth)
I failed to list:
* krb5_mk_cred/krb5_rd_cred
For these uses, my plan is to hash the ciphertext of the encrypted part
of the KRB_CRED message, as passed to krb5_c_decrypt. However, in some
cases decryption does not occur during krb5_rd_cred, so I need to
understand that case better.
More information about the krbdev
mailing list