Kerberos Password Sniffing
Jacques A. Vidrine
nectar at celabo.org
Sun Dec 1 11:45:49 EST 2002
On Sun, Dec 01, 2002 at 10:58:30AM +0000, Frank O'Dwyer wrote:
> Why
> does it take the announcement of a tool to light a fire under people,
> when the possibility of such a tool has been obvious and well documented
> in the literature for over 10 years, as have the various possible fixes?
It comes up every now and again. Earlier this year I submitted a
paper to USENIX which contained (what I thought to be) a fresh look at
the problem. It was not accepted as the reviewers did not believe there
was enough new material [1].
A little later I also saw someone else release a short paper about
sniffing Windows 2000 Kerberos exchanges. I think a reference to it was
posted to this group.
> There is also some breakdown in communication going on, since there are
> 1000s of admins out there who have somehow got the message that Kerberos
> is "unsniffable".
Like many other (but not all) password-based schemes, offline
dictionary attacks may be made by passive sniffers, or by active
intermediaries.
Cheers,
--
Jacques A. Vidrine <nectar at celabo.org> http://www.celabo.org/
NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos
jvidrine at verio.net . nectar at FreeBSD.org . nectar at kth.se
[1] I am very grateful to the reviewers, who provided much useful
feedback.
More information about the Kerberos
mailing list