Offline password attacks on AS-REQ

Douglas E. Engert deengert at anl.gov
Fri Jun 17 10:13:55 EDT 2005


There is PKINIT also.

We did a "sslk5" in 1999 to use SSL authenticaiton to a KDC, then return
an unencrypted ticket protected by SSL to the client. In this case the
user was using X509 certificates for authenticaiton and no password. It
was last updated for krb5-1.2.2 and OpenSSL-0.9.6. It can be found at:

  ftp://achilles.ctd.anl.gov/pub/DEE/sslk5-1.2.2-20010827.tar

It would not take much to use only server side certificates with TLS,
and the KDC would return the AS_REP as usual but protected by SSL.
With PRE_AUTH this should eliminate guessing attack. But there may need
to be some binding between the TLS and Kerberos to avoid some MITM attacks.

This work was done as part of the Globus project so users could get a Kerberos
V5 ticket. In 99% of the cases the ticket was for AFS.  It was droped in
favor of the gssklog that could use the Globus GSSAPI to get a AFS token
without KRB5, as 80% of the sites that had AFS did not have krb5
and at that time did not want to setup a krb5 realm.

It was also expected that PKINIT would replace the need for sslk5
within a short time.


peter huang wrote:
> brian.joh at comcast.net wrote:
> 
>>Tunneling sounds like the best option.
>>
>>We have over 500 Windows 2000 and Windows 2003 domain
>>controllers (KDCs in Active Directory), that we don't want to have
>>to modify or install new software on.  These domain controllers
>>(KDCs) do have SSL properly configured, so I suppose, we could
>>tunnel the AS-REQ and AS-REP inside of SSL.  I'll try this unless
>>anyone knows of a better way, keeping in mind no major changes
>>can be made to these Domain Controllers.
>>
>>Thanks!
>>
> 
> so how would one change the KDC to support SSL?  the current kinit 
> process only talk to udp/tcp 88,  is there other proposals to do kinit?
> 
> -peter
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list