[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: FAST cookies
From: Greg Hudson <ghudson () mit ! edu>
Date: 2011-07-17 18:51:29
Message-ID: 1310928689.2694.213.camel () t410
[Download RAW message or body]
On Sun, 2011-07-17 at 09:39 -0400, Linus Nordberg wrote:
> (Background re nonce: There's a kdc generated nonce (in the 4-pass
> variant). This nonce is primarily used kdc for authenticating the
> client by using the Client Key to decrypt the encData field of the
> PA-OTP-REQUEST. A match with what was sent by the kdc in the
> PA-OTP-CHALLENGE proves client possession of the Client Key.)
I believe there is no real need to protect against nonce replays. In
fact, we could let the client choose the value to encrypt, as we do in
OTP 2-pass and in encrypted challenge.
I'm going to raise this issue on krb-wg, though. I think the OTP draft
may be unnecessarily complex for 4-pass.
> Judging from previous postings to the list regarding replay attacks
> and OTP,
I think some of the previous discussion may have confused replays of the
nonce with replays of the OTP token value itself.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic