[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security impact of removing timestamp check in rd_rep()

>>>>> "Luke" == Luke Howard <lukeh@PADL.COM> writes:

    Luke> You actually want to check that they are different, to avoid
    Luke> replay attacks.

But you need to store all the timestamps you have seen in an allowable

Really, I don't understand why you use a timestamp in a three-leg
protocol.  It seems like you want to have a challenge in the second
leg copied back in the third leg encrypted in a per-session key.
However it sounds like DCE did not do this.