[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security impact of removing timestamp check in rd_rep()

To: lukeh@PADL.COM
Subject: Re: Security impact of removing timestamp check in rd_rep()
From: Sam Hartman <hartmans@mit.edu>
Date: Sun, 15 May 2005 17:04:55 -0400
Cc: abartlet@samba.org, heimdal-discuss@sics.se, samba-technical@samba.org
In-Reply-To: <200505140808.j4E88fOL047376@au.padl.com> (Luke Howard'smessage of "Sat, 14 May 2005 18:08:41 +1000")
References: <200505140808.j4E88fOL047376@au.padl.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)

>>>>> "Luke" == Luke Howard <lukeh@PADL.COM> writes:

    Luke> You actually want to check that they are different, to avoid
    Luke> replay attacks.

But you need to store all the timestamps you have seen in an allowable
window.

Really, I don't understand why you use a timestamp in a three-leg
protocol.  It seems like you want to have a challenge in the second
leg copied back in the third leg encrypted in a per-session key.
However it sounds like DCE did not do this.


--Sam

Follow-Ups:
- Re: Security impact of removing timestamp check in rd_rep()
  - From: Andrew Bartlett <abartlet@samba.org>

References:
- Re: Security impact of removing timestamp check in rd_rep()
  - From: Luke Howard <lukeh@padl.com>

Prev by Date: Re: Problems with Service Principle Unknown and Windows AD.
Next by Date: Re: Security impact of removing timestamp check in rd_rep()
Prev by thread: Re: Security impact of removing timestamp check in rd_rep()
Next by thread: Re: Security impact of removing timestamp check in rd_rep()
Index(es):
- Date
- Thread