Question on mutual authentication
Greg Hudson
ghudson at MIT.EDU
Sat Oct 2 07:44:10 EDT 2010
On Sat, 2010-10-02 at 05:01 -0400, SANDERS Miguel wrote:
> I have a question concerning the mutual authentication in the kerberos
> flow. I know that the client proves his identity to the AS by using
> the PA-ENC-TIMESTAMP (preauthentication). Similarly, the authenticator
> in the TGS-REQ is used to prove the client's identity to the TGS. But
> how does the AS prove his identity to the client in the AS-REP
> message? Same question for the TGS in the TGS-REP message.
The AS or TGS (which are typically just referred to as the KDC) doesn't
exactly prove its identity; it proves its knowledge of the client's
long-term key. If the fake KDC does not know the client's long-term key
(or TGT session key for a TGS request), it will be unable to produce a
reply which successfully decrypts.
It's important to note that when a user is logging into a host, this
standard of proof is of no value to the host, as the user could be
colluding with a fake KDC. This is the classic "Zanarotti attack." To
prevent this attack, a host makes the KDC prove its knowledge of the
long-term key in the host's keytab, by making a TGS request to that
service principal and verifying the result.
More information about the Kerberos
mailing list