6710968492
Currently, if the AS exchange uses PA-ENC-TIMESTAMP, a Heimdal client
will transmit the AS-REQ with one PA-ENC-TIMESTAMP for every supported
encryption type. This is bad because:
(1) An eavesdropper collecting this information for dictionary
attacks will have his life made easier, since he can use
DES (rather than a stronger crypto system).
(2) Waste of CPU cycles on client.
(3) (Maybe) cryptanalysis is assisted by capturing ciphtertexts
that are known to be the same plaintext encrypted with the
same key in several algorithms (though the confounder confounds
this).
The KDC provides the list of etypes supported in PA-ETYPE-INFO in the
KRB-ERROR reply ... let's use the first one, eh?
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11646 ec53bebd-3082-4978-b11e-865c3cabbd6b
20 KiB
20 KiB