Re: Proof for schannel Key expiry?

Subject:	Re: Proof for schannel Key expiry?
From:	Andrew Tridgell
Date:	Tue, 17 May 2005 07:03:51 +1000

Andrew,

 > In the Samba4 schannel code, you have a fixed, 5-min expiry on the
 > schannel credentials.  Did you ever have any proof the windows has a
 > similar expiry?

no, I don't even remember doing that. 

I do think some sort of expiry does make cryptographic sense though,
as unlike other auth mechanisms, schannel credentials last beyond the
lifetime of an established connection. That makes them ripe for
offline brute force attack. Only krb5 has similar properties in Samba,
and that has an expiry mechanism.

Maybe we should make it a 2 day expiry until we write a (rather slow)
test which gives us some idea on the lifetime of these credentials in
the windows world.

Cheers, Tridge

<Prev in Thread]	Current Thread	[Next in Thread>
Proof for schannel Key expiry?, Andrew Bartlett Re: Proof for schannel Key expiry?, Andrew Tridgell <=

Previous by Date:	Re: PATCH: check for chsize and use it if we are missing ftruncate, Jelmer Vernooij
Next by Date:	Re: Current ideas on kerberos requirements for Samba4, Rafal Szczesniak
Previous by Thread:	Proof for schannel Key expiry?, Andrew Bartlett
Next by Thread:	Security impact of removing timestamp check in rd_rep(), Andrew Bartlett
Indexes:	[Date] [Thread] [Top] [All Lists]