Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted and misused?

Rick van Rein rick at openfortress.nl
Wed Aug 24 02:36:21 EDT 2016


Hey Mike,

> But it would be even better if the client could (or had the option to)
> do authentication with the service directly and thus eliminate the
> numerous dependencies for clients (DNS, KDC access, stale tickets,
> time sync...).

I doubt you could use Kerberos without these components involved.
You might forego DNS if you configured your client (which is certainly
not everyone's favourite solution).  You need the KDC to obtain a
short-lasting credential, which is pretty much a cornerstone of
Kerberos security.  The stale tickets and time sync come with that.

Do note that time sync is not always essential on the client; the
major concern for security is that the KDC and server are in time
sync; clients merely need time to be able to pick the right ticket,
but if they needed to (because they were embedded, say) they might
happily assume whatever ticket timing the KDC passed them and use
that to figure out how much longer a ticket would last.

> I'm not sure if that is possible with HTTP being
> stateless, but if is, it could be the basis for proper Internet
> website security as well.

It sounds to me like you are asking about preshared keys, which
are accepted to be far less secure than the Kerberos road.

-Rick



More information about the Kerberos mailing list