Java Pre-auth for Windows 2003 mixed case revival

Roland Dowdeswell elric at
Thu Feb 10 15:40:07 EST 2005

On 1108067146 seconds since the Beginning of the UNIX epoch
"Douglas E. Engert" wrote:

>In the future as PKINIT and /or other pre-auths are implemented, you
>may have to send in the first request without any pre-auth just to find
>out what the KDC will accept so you might as well do it now too.

Even today, sending pre-auth without first talking to the KDC is
a bit of a security problem if the client is not properly configured.
E.g. if I send a DES PA_TIMESTAMP, Eve can easily crack my password
regardless of not having DES keys in the KDC.  Of course, a MITM
can easily convince me to send a DES PA_TIMESTAMP...

    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/

More information about the Kerberos mailing list