[1773] in Kerberos_V5_Development
Re: protocol flaw (160 lines) (was: krbdev vs krbcore)
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Fri Sep 20 18:57:37 1996
Cc: "Barry Jaspan" <bjaspan@MIT.EDU>, don@cam.ov.com, krbcore@MIT.EDU
In-Reply-To: Your message of "Fri, 20 Sep 1996 18:52:09 EDT."
<199609202252.SAA14807@beeblebrox.MIT.EDU>
Date: Fri, 20 Sep 1996 18:57:31 EDT
From: Marc Horowitz <marc@MIT.EDU>
In message <199609202252.SAA14807@beeblebrox.MIT.EDU>, Marc Horowitz <marc@MIT.EDU> writes:
>> >> C->KDC: C_dummy, S, PA_HASH_NAME=MD5(C|K_c)
>>
>> I'm not sure why you include the client's key here. It doesn't seem
>> to add anything.
<brain switches into faster gear>
In fact, it makes life harder. You'd need an index in the database
for each enctype the principal had. If you want to give decent
diagnostics, it's worse, since there's no way to distinguish
"principal doesn't have that enctype" from "principal doesn't exist"
with just the hash key to work with, unless you iterate over the
entire database.
Marc
