Migrating a Kerberos Realm

Douglas E. Engert deengert at anl.gov
Fri Nov 3 09:32:37 EST 2006 


Ken Raeburn wrote:
> On Nov 2, 2006, at 17:48, Henry B. Hotz wrote:
> 
>>OTOH, it sounds like a fun idea to me.  Do the cryptosystem RFC's  
>>specify the default salt?
> 
> 
> Actually, the default salt, derived from the realm and principal  
> name, is specified in the main Kerberos protocol document, and is  
> invariant across cryptosystems; the cryptosystem RFCs don't know  
> anything about principal names or realm names.  What gets done with  
> the salt string is defined per cryptosystem, though.
> 
> Using a fixed per-principal salt string allows an attacker to convert  
> a standard password-cracking dictionary into a set of keys for a  
> given principal, and try that set of keys repeatedly despite the user  
> changing her password.  If the salt string (which is supposed to be  
> UTF-8 if I recall correctly) is randomized and long enough, then any  
> key of N bits should be possible[*] even if the password is in the  
> dictionary, and the attacker can only precompute his key list for a  
> given salt string.  So it's probably worth considering despite the  
> bugs of one implementation.
> 

But the salt is returned in the KRB_ERROR  KRB5KDC_ERR_PREAUTH_REQUIRED(25)
message on the PA_ENCTYPE_INFO in clear text so just having a different salt
per principal should make it just as difficult for the attacker.

This feature came in handy while trying to figure out why Java < 1.6 did not
work correctly with pre-auth assuming it knew the salt. In a mixed case
principal name. AD is case insensitive but the salt is not.

> Ken
> 
> [*] Assuming the cryptosystem actually uses the salt string, and  
> incorporates it properly, of course.  The RC4 cryptosystem, for  
> example, does not use it, and thus the key is derived from the  
> password alone, and a dictionary can be converted to keys that can be  
> tried for any user in any realm.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list