Re: Fwd: SSPI authentication ASC_REQ_REPLAY_DETECT flag

Jacobo,

* Jacobo Vazquez (jvazquez(at)denodo(dot)com) wrote:
> Am I misunderstanding something or is this the expected behavior? This
> not means a replay attack risk? I think that if SSL is not used by the
> connection, a malicious user could capture the authentication package which
> the client service ticket and then reuse it.

It's not entirely clear to me what you're getting at here, but Kerberos
service tickets are *intended* to be re-used up until they are invalid
due to their lifetime limit. That's why they have a lifetime. If you
don't want them to be reused, make their lifetime very short, but you'll
end up creating a huge additional load on your KDC that way for very
little gain..

Note that this is entirely independent of a replay attack risk, which is
addressed by the resource server checking if the timestamp in the
authenticator being provided is the same as the last one (it should be
denied if it is). Further, the timestamp in the authenticator has to be
within 5 minutes or it'll also be denied.

Thanks,

Stephen