Hello, GSSAPI-based protocols have an option of challenging a client with a counter value. This is done after the client submits a ticket.
Looking at SPNEGO (and probably other protocols as well) I see that the server can take the initiative for an GSSAPI exchange, and when doing so, it could already challenge the client. The way I see it, asking a client to decrypt *anything* is possible, as long as the result is unpredictable to the client of course. For instance, a random byte series could be created by the server and sent to the client for decryption. Whatever the block cipher makes of that, is the proper answer; the server can make the same computation when it receives the ticket (with the session key) and the response to the challenge (decrypted with the session key). This would save a back-and-forth hop. Why is this not done? Are there cryptographic reasons that I am missing? Thanks, -Rick ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
