MD5 passwords possible with Kerberos?
Paul Johnson
paul.johnson at marconi.com
Tue Feb 12 10:00:00 EST 2002
Sandeep wrote:
> Just like Unix passwords are never stored cleartext, but always
> hashed, why not do the same thing with Kerberos?
Because Kerberos does not actually do password authentication. It sets up
a secure link between the two principles.
Suppose Alice and Bob want to communicate. They need to share a secret
key. (This ignores public key crypto, which is a completely different way
of doing things.)
Alice talks to Kerberos using a previously agreed secret key (which is in
fact the MD5 hash of her password). Kerberos sends here a "ticket" which
contains both a new randomly generated secret key and the same key
encrypted with Bob's secret key (which is also the MD5 hash of his
password). Now Alice and Bob share a key and can use it to communicate.
To acheive this Kerberos has to store the secret keys of all the
principals. If you get hold of a Kerberos database you won't see the
passwords, you will see the hashes (aka secret keys). But that isn't a
problem if you want to impersonate Alice or Bob because Kerberos never sees
the passwords. It sees messages encrypted with the keys. So if you can
get the Kerberos database and want to impersonate Alice you just start a
Kerberos session using her secret key. Kerberos assumes that since you
evidently know Alice's key you must be her.
Paul.
More information about the Kerberos
mailing list