Re: replay detection

[Simon Josefsson]

"Bentura, Eric" <address@hidden> writes:

> Hello,
>  
> For my application I need to add replay detection mechanism to messages sent
> over the network.

Hi Eric!  The generic GSS-API framework support this, but it is up to
each mechanism how to implement it (if at all).  Kerberos V5 uses
sequence numbers to do this.

> I wanted to know if it is possible, using GSS routines to timestamp the
> messages in a monotonically increasing fashion.
> In fact, I just want to add a timestamp, and possibly use the resulting packet
> as an input to a certain encrypt function.
> I want the remote side be able to have access to the timestamp (after having
> decrypted the packet) without using GSS API. Is that possible?

If you use the Kerberos V5 mechanism (the only mechanism GNU GSS
support currently), you'll get this if you supply the
GSS_C_REPLAY_FLAG flag when setting up the context.

You can't access the actual timestamp value through the GSS API
though.  You'll get an error message if the library detect that a
replayed message is received.

If you strongly need this (please explain your environment further),
we can add a new API to extract the sequence number.

Regards,
Simon