[Ietf-krb-wg] fast and patypes in KRB-ERROR
Srinivas Cheruku
srinivas.cheruku at gmail.com
Fri May 15 03:01:05 EDT 2009
Sam wrote:...
>Probably this is more of an IETF issue than an MIT issue. My concern
>about doing this is that the negotiation of which fast factors are
>supported would be unprotected.
[Srinivas Cheruku] I was thinking on this more.
What affect would it have if the negotiation of fast factors is not
protected?
When non-fast request is sent to KDC, it returns KRB-ERROR e-data containing
PA-FX-FAST. This is also not protected PA-FX-FAST can also be deleted from
initial unprotected error. If this happens, the client would send non-fast
request containing enc-timestamp instead of generating a fast request. It
depends on the KDC policy to allow non-fast requests or not.
If we take the case of adding PA-ENCRYPTED-CHALLENGE or PA-OTP-CHALLENGE
along with PA-FX-FAST to unprotected error, then if these are deleted in
transit, then client maynot send OTP or ENC-CHALLENGE, but if the KDC is
configured so that the client requires these, then it won't generate the
ticket and would again asks for the same.
So, where do we see a potential risk of sending PA-ENCRYPTED-CHALLENGE or
PA-OTP-CHALLENGE along with PA-FX-FAST in unprotected error. Am I
overlooking something?
Thanks,
Srini
More information about the krbdev
mailing list