FAST cookies

Greg Hudson ghudson at MIT.EDU
Sun Jul 17 14:51:29 EDT 2011

On Sun, 2011-07-17 at 09:39 -0400, Linus Nordberg wrote:
> (Background re nonce: There's a kdc generated nonce (in the 4-pass
> variant).  This nonce is primarily used kdc for authenticating the
> client by using the Client Key to decrypt the encData field of the
> PA-OTP-REQUEST.  A match with what was sent by the kdc in the
> PA-OTP-CHALLENGE proves client possession of the Client Key.)

I believe there is no real need to protect against nonce replays.  In
fact, we could let the client choose the value to encrypt, as we do in
OTP 2-pass and in encrypted challenge.

I'm going to raise this issue on krb-wg, though.  I think the OTP draft
may be unnecessarily complex for 4-pass.

> Judging from previous postings to the list regarding replay attacks
> and OTP,

I think some of the previous discussion may have confused replays of the
nonce with replays of the OTP token value itself.

More information about the krbdev mailing list