Kerberos insecure

Tom Yu tlyu at MIT.EDU
Mon Dec 8 19:08:14 EST 2003


>>>>> "Christoph" == Christoph Riesenberger <riesi.news at gmx.at> writes:

Christoph> Thanks, Tom. This means, Lowe's attack doesn't touch kerberos!?

Not exactly.  Attacks similar to Lowe's are effective against Kerberos
version 4.

Christoph> 2 other questions:

Christoph> Kerberos uses symmetric keys. How can it guarantee, that a
Christoph> message/ticket was not altered (integrity)?

Encrypted messages in Kerberos v5 always have an integrity check.  In
RFC 1510, this is an encrypted plaintext checksum (which has known
weaknesses).  More recently, encrypted messages always use a keyed
hash or HMAC for checking integrity.

Christoph> How does logout work?

Credentials are typically destroyed at logout time by the client
system.  In addition, credentials are only valid for a limited time,
so a stolen credential cannot be used for an indefinite period of
time.

Christoph> I really looked around but found no answers.

Have you read RFC 1510?  Also, work is occurring to revise the
specification; see draft-ietf-krb-wg-kerberos-clarifications-04.txt
and draft-ietf-krb-wg-crypto-06.txt.

---Tom


More information about the Kerberos mailing list