Kerberos Replay attack - how it is detected in SSPI?
From: Aleksey Studnev (studnev@mobilae.ru)
Date: 12/19/02
- Next message: Michael: "rights problems"
- Previous message: neo [mvp outlook]: "Re: Hacked Server - Can't Delete Planted Files"
- Next in thread: terry: "Kerberos Replay attack - how it is detected in SSPI?"
- Reply: terry: "Kerberos Replay attack - how it is detected in SSPI?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Aleksey Studnev" <studnev@mobilae.ru> Date: Thu, 19 Dec 2002 08:06:09 -0800
One question to you, Windows security gurus:
how SSPI detects replay attack?
I have implemented interoperability between MIT Krb5
and SSPI and found an issue:
When MIT makes authenticator in token it makes artifical
randomization of micorseconds field by adding incremental
value. Thats is because _ftime() function returns granular
time with quant 18 ms.
On server side MIT compares only security principals and
times as specificated in Krb standard.
SSPI does not do this, so if you request 2 tokens for
one service and user they will appear with _identical_
times (including microsecond field).
Nevertherless, SSPI does not detect replay in this case..
but MIT does. MIT in this regard works according to Krb
standard and SSPI does not.
But still how SSPI detects replay? If it uses other
authenticator fields it is wrong, because they all are
optional. Sequense number is optional as well...
any ideas?
- Next message: Michael: "rights problems"
- Previous message: neo [mvp outlook]: "Re: Hacked Server - Can't Delete Planted Files"
- Next in thread: terry: "Kerberos Replay attack - how it is detected in SSPI?"
- Reply: terry: "Kerberos Replay attack - how it is detected in SSPI?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
