MD5 passwords possible with Kerberos?

Paul Johnson paul.johnson at marconi.com
Tue Feb 12 10:00:00 EST 2002


Sandeep wrote:

> Just like Unix passwords are never stored cleartext, but always
> hashed, why not do the same thing with Kerberos?

Because Kerberos does not actually do password authentication.  It sets up 
a secure link between the two principles.

Suppose Alice and Bob want to communicate.  They need to share a secret 
key. (This ignores public key crypto, which is a completely different way 
of doing things.)

Alice talks to Kerberos using a previously agreed secret key (which is in 
fact the MD5 hash of her password).  Kerberos sends here a "ticket" which 
contains both a new randomly generated secret key and the same key 
encrypted with Bob's secret key (which is also the MD5 hash of his 
password).  Now Alice and Bob share a key and can use it to communicate.

To acheive this Kerberos has to store the secret keys of all the 
principals.  If you get hold of a Kerberos database you won't see the 
passwords, you will see the hashes (aka secret keys).  But that isn't a 
problem if you want to impersonate Alice or Bob because Kerberos never sees 
the passwords.  It sees messages encrypted with the keys.  So if you can 
get the Kerberos database and want to impersonate Alice you just start a 
Kerberos session using her secret key.  Kerberos assumes that since you 
evidently know Alice's key you must be her.

Paul.



More information about the Kerberos mailing list