STARTTLS extension
H.-J. Schnitzer
schnitzer2 at rz.rwth-aachen.de
Wed Oct 9 12:25:36 EDT 2013
On 10/09/2013 01:12 PM, Rick van Rein (OpenFortress) wrote:
> Hi HJ,
>
> Thanks!
>
>> The plain network traffic between client and KDC is vulnerable to dictionary attacks on
>> weak user passwords.
> If I understand you correctly, you are saying that the packets themselves provide information
> suitable to build dictionary attacks, and unlike the KDC which could fend off heavy queries,
> this is not the case after a login packet has been observed.
>
> Please forgive me for not knowing the protocols yet -- it's only been 3 (intensive) weeks of
> Kerberos for me.
The vulnerability I mean is explained here for example:
http://www.windowsdevcenter.com/pub/a/windows/excerpt/swarrior_ch14/index1.html
>
> This sounds like an SRP-based scheme would make a lot of sense to the exchange with the KDC.
> Except that it isn't standardised AFAIK, and TLS is. Your point is clear.
>
>> There are already tunneling mechansims available for MIT Kerberos
>> like PKINIT and FAST but I find them rather complicated to implement.
> Are you missing documentation perhaps? Wouldn't surprise me, I've also missed guidance.
>
>> TLS would make things definitely easier. The GNU Kerberos solution shishi has support
>> for TLS for example.
> TLS makes things easier to administer, except for certificate juggling and modern DANE
> requirements, but I don't like its footprint of network traffic and verification time. That's the
> reason I asked -- curiosity about pros.
>
I would also be lucky to hear about any alternatives to the use of
client/server certificates.
Hans-Juergen
More information about the Kerberos
mailing list