MD5 passwords possible with Kerberos?
Ian Downard
itd at umr.edu
Mon Feb 18 13:26:25 EST 2002
On Sat, 9 Feb 2002, Marcus Watts wrote:
> Here is an incomplete list of weaknesses that you might find more useful
> to consider:
> (1) Most production kerberos realms still use regular DES and no preauth.
> This means they should not be used to protect any secret
> worth more than $100,000.
I'm studying Kerberos for my graduate thesis, and I'm having problems
understanding the utility in preauthentication. It has been argued that
preauthentication helps prevent password guessing attacks (originally:
Bellovin, Merritt, "Limitations...", 1991) , but I can't understand how.
Here's a quote from Tom Wu's paper
(http://theory.stanford.edu/~tjw/krbpass.html):
"Kerberos V5?
Kerberos V5 introduces preauthentication, which requires the user to
provide some evidence that she knows the shared key K before the
authentication server will issue a TGT. This evidence comes in the form
of an encrypted timestamp t:
C --> S: R, E[K](t)
C <-- S: E[K](TGT)
The server S sends its reply to the client C only if t decrypts to the
correct time within some predefined tolerance. Although this prevents an
attacker from requesting TGTs, it does not protect against an
eavesdropper who captures either E[K](t) or E[K](TGT). Either of those
quantities constitutes verifiable plaintext that can be used to mount a
dictionary attack. While this is an improvement relative to Kerberos V4,
an attacker with a network sniffer can still carry out the same off-line
dictionary attack against any authentication requests captured over the
network [9]."
In addition, I sniffed the initial authentication packets with ethereal on
my Linux network, and I see one of the datagrams is sending the
Pre-Authentication via "PA-ENC-TIMESTAMP". Pretty neat, but how does it
encrypt the timestamp? It must be using a key which is known by the
Kerberos server (otherwise, how would it decrypt)? And if it is using the
user's password (even before getting a TGT), how does that resist password
guessing attacks?
Thanks for any help on this.
-ian
More information about the Kerberos
mailing list