Could anyone please explain how timestamps in Kerberos protect from Replay attacks?
Thanks
Asked
Active
Viewed 6,055 times
3 Answers
3
It doesn't fully prevent replay attacks, but it ensures that a replay must happen within a few minutes of authentication. If you try to replay the authentication handshake hours later, it'll fail because the server knows the timestamp is way old.
ceejayoz
- 176,543
- 40
- 303
- 368
0
"Kerberos authentication prevents a replay attack by using two mechanisms:
The Kerberos client on the local computer encrypts a timestamp inside the authenticator and then sends it to the Key Distribution Center (KDC). If the KDC verifies that the time it decrypts from the authenticator is within a specified amount of the local time on the KDC (the default is five minutes), the system can assume that the credentials presented are genuine.
All tickets issued by the KDC have an expiration time. Thus, if a ticket is compromised, it cannot be used outside of a specified time range — usually short enough to make the risk of a replay attack minimal.
Because of these mechanisms, Kerberos authentication relies on the date and time that are set on the KDC and the client. If there is too great a time difference between the KDC and a client requesting tickets, the KDC cannot determine whether the request is legitimate or a replay."
Source: https://technet.microsoft.com/en-us/library/cc780011%28v=ws.10%29.aspx
That's why getting your clocks synchronized is so important - the Kerberos TGT tickets you receive are a time-limited offer. The time-limit on the offer starts at the time indicated on the time stamp. Getting the time wrong is the worst sin you can commit, which is why Kerberos insists on having your clock's time synchronized.
Vietnhi Phuvan
- 2,704
- 2
- 25
- 25
0
In addition, the replay cache has the authenticators that arrived in the last 2 minutes and rejects them if they are presented. for more details , check replay cache section in http://www.kerberos.org/software/tutorial.html
R V Marti
- 347
- 2
- 5