Is "SPN advertisement" or well-known SPNs a security hole?

Simon Wilkinson simon at sxw.org.uk
Thu Jan 17 04:44:12 EST 2008


On 16 Jan 2008, at 21:32, Srinivas Kakde wrote:
> I
> think there must be equivalence between permission required create a
> principal on
> a KDC and the permission required  associate the service principal  
> name
> with network binding information.  I think this is an interesting area
> of study.

See the domain based naming work being done in the IETF Kitten WG -  
this allows the KDC to associate a specific SPN with a domain-based- 
name.

> Attacker that is able obtain control of a KDC or cross-realm keys will
> be able to cause very serious problems

The second part of this isn't strictly true. An attacker than  
compromises a KDC that you cross-realm with, or the keys for that  
cross-realm relationship, can only impersonate principals in the  
foreign realm. Normally, this doesn't have any significant impact on  
the overall security of local services, providing there's no way for  
an attacker to pretend that a local service has an SPN in that  
foreign realm. This is the attack that Jeff was describing.

Simon.




More information about the Kerberos mailing list