In order to prevent a replay attack in which an attacker might gain some benefit by resending a valid {Tc,tgs}Ktgs at a later time, the tgs-- req message also contains an authenticator, which is a time stamp, ts, a check sum and other data, all encrypted with the session key Kc,tgs.