Java Pre-auth for Windows 2003 mixed case revival
Roland Dowdeswell
elric at imrryr.org
Thu Feb 10 15:40:07 EST 2005
On 1108067146 seconds since the Beginning of the UNIX epoch
"Douglas E. Engert" wrote:
>
>In the future as PKINIT and /or other pre-auths are implemented, you
>may have to send in the first request without any pre-auth just to find
>out what the KDC will accept so you might as well do it now too.
Even today, sending pre-auth without first talking to the KDC is
a bit of a security problem if the client is not properly configured.
E.g. if I send a DES PA_TIMESTAMP, Eve can easily crack my password
regardless of not having DES keys in the KDC. Of course, a MITM
can easily convince me to send a DES PA_TIMESTAMP...
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
More information about the Kerberos
mailing list