Security impact of removing timestamp check in rd_rep()
Sam Hartman
hartmans at mit.edu
Sun May 15 21:04:55 GMT 2005
>>>>> "Luke" == Luke Howard <lukeh at PADL.COM> writes:
Luke> You actually want to check that they are different, to avoid
Luke> replay attacks.
But you need to store all the timestamps you have seen in an allowable
window.
Really, I don't understand why you use a timestamp in a three-leg
protocol. It seems like you want to have a challenge in the second
leg copied back in the third leg encrypted in a per-session key.
However it sounds like DCE did not do this.
--Sam
More information about the samba-technical
mailing list