pre-authentication attacks

Russ Allbery eagle at
Wed May 14 18:16:55 EDT 2014

Ben H <bhendin at> writes:

> But the preauthentication gives the added protection of allowing the
> server to choose/enforce the encryption type used.

I don't believe this is the case.  Whether or not pre-authentication is
enabled, the server always has the ability to choose or enforce the
encryption type used.

The difference in the pre-authentication case is that the *attacker*
cannot choose a weak enctype that the server is willing to accept by
claiming that the attacker is a client that only supports weak enctypes.
Instead, the attacker has to work from network capture information from a
real client, and real clients will always attempt to negotiate the
strongest encryption type they support.

> That being said, if say AES were the only allowable encryption type used
> on such a network, the advantages here would be significantly less
> substantial and if we assumed easy access to the network, and standard
> encrypted-timestamp preauth, then the advantages of this pre-auth are
> negligible at best to no pre-auth at all?

Pre-authentication essentially requires the attacker to be capable of
being a passive man-in-the-middle in order to launch an off-line
brute-force attack.  If there is no security risk benefit in shifting the
attacker profile from "anyone who can connect to the KDC" to "passive
man-in-the-middle," then yes, encrypted timestamp pre-authentication isn't
really doing anything for you.

That being said, I am rather dubious that you can construct a reasonable
scenario where that change has no benefit.  A typical enterprise closed
network use case is *not* such a scenario.  With encrypted timestamp, the
attacker can still only attack clients for which it has network capture
data, which means that unused accounts are not vulnerable to off-line
brute-force, and any limitation on the attacker's ability to see all
network traffic (and, in practice, there will be many limitations for most
likely attacker scenarios) will give you more security by reducing the
principal space the attacker can launch off-line attacks against.

Russ Allbery (eagle at              <>

More information about the Kerberos mailing list