STARTTLS extension

[Russ Allbery]

"H.-J. Schnitzer" <schnitzer2 at rz.rwth-aachen.de> writes:

> The plain network traffic between client and KDC is vulnerable to
> dictionary attacks on weak user passwords.  There are already tunneling
> mechansims available for MIT Kerberos like PKINIT and FAST but I find
> them rather complicated to implement.  TLS would make things definitely
> easier.

However, note that TLS will have a significant impact on the performance
of your KDC if you're doing high volume.  That's obviously something that
you can work around, particularly since KDCs normally don't need to be
very fast.  It probably doesn't make the KDC any slower than many other
servers.  But it will definitely take it out of the blazingly fast arena
that it's in now.

FAST is complex from a protocol standpoint, but there are already several
implementations out there, and it's quite easy to use from an API
standpoint.  And it doesn't have the same performance problems provided
that you have a long-term key available to use for the armor.  (If you
have to use anonymous PKINIT for the armor, you're back to the same
performance issues with public key cryptography.)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>