%PDF-
%PDF-
Mini Shell
Mini Shell
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>replay cache — MIT Kerberos Documentation</title>
<link rel="stylesheet" href="../_static/agogo.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/kerb.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '1.15.1',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="author" title="About these documents" href="../about.html" />
<link rel="copyright" title="Copyright" href="../copyright.html" />
<link rel="top" title="MIT Kerberos Documentation" href="../index.html" />
<link rel="up" title="Kerberos V5 concepts" href="index.html" />
<link rel="next" title="stash file" href="stash_file_def.html" />
<link rel="prev" title="keytab" href="keytab_def.html" />
</head>
<body>
<div class="header-wrapper">
<div class="header">
<h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
<div class="rel">
<a href="../index.html" title="Full Table of Contents"
accesskey="C">Contents</a> |
<a href="keytab_def.html" title="keytab"
accesskey="P">previous</a> |
<a href="stash_file_def.html" title="stash file"
accesskey="N">next</a> |
<a href="../genindex.html" title="General Index"
accesskey="I">index</a> |
<a href="../search.html" title="Enter search criteria"
accesskey="S">Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__replay cache">feedback</a>
</div>
</div>
</div>
<div class="content-wrapper">
<div class="content">
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="replay-cache">
<span id="rcache-definition"></span><h1>replay cache<a class="headerlink" href="#replay-cache" title="Permalink to this headline">¶</a></h1>
<p>A replay cache (or “rcache”) keeps track of all authenticators
recently presented to a service. If a duplicate authentication
request is detected in the replay cache, an error message is sent to
the application program.</p>
<p>The replay cache interface, like the credential cache and
<a class="reference internal" href="keytab_def.html#keytab-definition"><em>keytab</em></a> interfaces, uses <cite>type:value</cite> strings to
indicate the type of replay cache and any associated cache naming
data to use.</p>
<div class="section" id="background-information">
<h2>Background information<a class="headerlink" href="#background-information" title="Permalink to this headline">¶</a></h2>
<p>Some Kerberos or GSSAPI services use a simple authentication mechanism
where a message is sent containing an authenticator, which establishes
the encryption key that the client will use for talking to the
service. But nothing about that prevents an eavesdropper from
recording the messages sent by the client, establishing a new
connection, and re-sending or “replaying” the same messages; the
replayed authenticator will establish the same encryption key for the
new session, and the following messages will be decrypted and
processed. The attacker may not know what the messages say, and can’t
generate new messages under the same encryption key, but in some
instances it may be harmful to the user (or helpful to the attacker)
to cause the server to see the same messages again a second time. For
example, if the legitimate client sends “delete first message in
mailbox”, a replay from an attacker may delete another, different
“first” message. (Protocol design to guard against such problems has
been discussed in <span class="target" id="index-0"></span><a class="rfc reference external" href="http://tools.ietf.org/html/rfc4120.html#section-10"><strong>RFC 4120</strong></a>.)</p>
<p>Even if one protocol uses further protection to verify that the client
side of the connection actually knows the encryption keys (and thus is
presumably a legitimate user), if another service uses the same
service principal name, it may be possible to record an authenticator
used with the first protocol and “replay” it against the second.</p>
<p>The replay cache mitigates these attacks somewhat, by keeping track of
authenticators that have been seen until their five-minute window
expires. Different authenticators generated by multiple connections
from the same legitimate client will generally have different
timestamps, and thus will not be considered the same.</p>
<p>This mechanism isn’t perfect. If a message is sent to one application
server but a man-in-the-middle attacker can prevent it from actually
arriving at that server, the attacker could then use the authenticator
(once!) against a different service on the same host. This could be a
problem if the message from the client included something more than
authentication in the first message that could be useful to the
attacker (which is uncommon; in most protocols the server has to
indicate a successful authentication before the client sends
additional messages), or if the simple act of presenting the
authenticator triggers some interesting action in the service being
attacked.</p>
</div>
<div class="section" id="default-rcache-type">
<h2>Default rcache type<a class="headerlink" href="#default-rcache-type" title="Permalink to this headline">¶</a></h2>
<p>There is currently only one implemented kind of replay cache, called
<strong>dfl</strong>. It stores replay data in one file, occasionally rewriting it
to purge old, expired entries.</p>
<p>The default type can be overridden by the <strong>KRB5RCACHETYPE</strong>
environment variable.</p>
<p>The placement of the replay cache file is determined by the following:</p>
<ol class="arabic simple">
<li>The <strong>KRB5RCACHEDIR</strong> environment variable;</li>
<li>If KRB5RCACHEDIR is unspecified, on UNIX, the library
will fall back to the environment variable <strong>TMPDIR</strong>, and then to
a temporary directory determined at configuration time such as
<em>/tmp</em> or <em>/var/tmp</em>; on Windows, it will check the environment
variables <em>TEMP</em> and <em>TMP</em>, and fall back to the directory C:\.</li>
</ol>
</div>
<div class="section" id="performance-issues">
<h2>Performance issues<a class="headerlink" href="#performance-issues" title="Permalink to this headline">¶</a></h2>
<p>Several known minor performance issues that may occur when replay
cache is enabled on the Kerberos system include: delays due to writing
the authenticator data to disk slowing down response time for very
heavily loaded servers, and delays during the rewrite that may be
unacceptable to high-performance services.</p>
<p>For use cases where replays are adequately defended against for all
protocols using a given service principal name, or where performance
or other considerations outweigh the risk of replays, the special
replay cache type “none” can be specified:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">KRB5RCACHETYPE</span><span class="o">=</span><span class="n">none</span>
</pre></div>
</div>
<p>It doesn’t record any information about authenticators, and reports
that any authenticator seen is not a replay.</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sidebar">
<h2>On this page</h2>
<ul>
<li><a class="reference internal" href="#">replay cache</a><ul>
<li><a class="reference internal" href="#background-information">Background information</a></li>
<li><a class="reference internal" href="#default-rcache-type">Default rcache type</a></li>
<li><a class="reference internal" href="#performance-issues">Performance issues</a></li>
</ul>
</li>
</ul>
<br/>
<h2>Table of contents</h2>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li>
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="index.html">Kerberos V5 concepts</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="ccache_def.html">Credential cache</a></li>
<li class="toctree-l2"><a class="reference internal" href="keytab_def.html">keytab</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="">replay cache</a><ul class="simple">
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="stash_file_def.html">stash file</a></li>
<li class="toctree-l2"><a class="reference internal" href="date_format.html">Supported date and time formats</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
</ul>
<br/>
<h4><a href="../index.html">Full Table of Contents</a></h4>
<h4>Search</h4>
<form class="search" action="../search.html" method="get">
<input type="text" name="q" size="18" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<div class="clearer"></div>
</div>
</div>
<div class="footer-wrapper">
<div class="footer" >
<div class="right" ><i>Release: 1.15.1</i><br />
© <a href="../copyright.html">Copyright</a> 1985-2017, MIT.
</div>
<div class="left">
<a href="../index.html" title="Full Table of Contents"
>Contents</a> |
<a href="keytab_def.html" title="keytab"
>previous</a> |
<a href="stash_file_def.html" title="stash file"
>next</a> |
<a href="../genindex.html" title="General Index"
>index</a> |
<a href="../search.html" title="Enter search criteria"
>Search</a> |
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__replay cache">feedback</a>
</div>
</div>
</div>
</body>
</html>
Zerion Mini Shell 1.0