MD5 passwords possible with Kerberos?
Marc Horowitz
marc at MIT.EDU
Mon Feb 18 15:42:19 EST 2002
itd at umr.edu (Ian Downard) writes:
>> Here's a quote from Tom Wu's paper
>> (http://theory.stanford.edu/~tjw/krbpass.html):
>>
>> "While this is an improvement relative to Kerberos V4, an attacker
>> with a network sniffer can still carry out the same off-line
>> dictionary attack against any authentication requests captured over
>> the network [9]."
>>
>> In addition, I sniffed the initial authentication packets with ethereal on
>> my Linux network, and I see one of the datagrams is sending the
>> Pre-Authentication via "PA-ENC-TIMESTAMP". Pretty neat, but how does it
>> encrypt the timestamp? It must be using a key which is known by the
>> Kerberos server (otherwise, how would it decrypt)? And if it is using the
>> user's password (even before getting a TGT), how does that resist password
>> guessing attacks?
With preauth, you can only attack a password if you can sniff the
network the user or kdc is on to get the encrypted padata. Without
preauth, you can simply ask the KDC to give you the ciphertext to
attack. As the quote from Tom Wu's paper points out, this is an
improvement relative to kerberos v4. Nobody ever claimed it was a
panacea. That would require the USPTO to get a clue when issuing
software patents :-/
I do not speak for the MIT kerberos team, but I'm sure the MIT
kerberos team would happily accept patches which fixed this problem
(using EKE, SPEKE, SRP, whatever), if it also came with an appropriate
patent license....
Marc
More information about the Kerberos
mailing list