Kerberos n00b question.
Grant Taylor
gtaylor at tnetconsulting.net
Mon Jan 7 13:06:46 EST 2019
On 01/07/2019 10:53 AM, Russ Allbery wrote:
> I don't think describing it as "in the clear" is quite right, but a
> default Kerberos configuration using enc-timestamp and no tunneling as
> the preauth mechanism is somewhat vulnerable to packet capture followed
> by an off-line dictionary attack to recover the authentication key.
Sorry, "in the clear" may have been a poor choice of words. I was
meaning to imply "revealed more than desired in an untrusted ~> hostile
network", particularly in the context of between clients and the KDC.
> The standard solution for this is FAST, which protects the initial
> authentication against this attack. (You do need some other credential
> to set up the FAST tunnel, but you can use anonymous Diffie-Hellman via
> anonymous PKINIT, or you can use a randomized key.)
Would you please expand (what I assume is) the FAST acronym? I expect
that there will be quite a few phonetic collisions searching for "FAST".
> The attack still requires subsequent work; you can't just snoop the
> connection between the client and the KDC and immediately get credentials.
> The work factor is basically linked to the complexity of the client key,
> so it's not much of a worry for a randomized key but is a worry for
> user passwords.
Good to know. Thank you for explaining.
> Yes.
:-)
> I don't have a good answer for this, unfortunately.
Fair enough.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20190107/4822d0d1/attachment-0001.bin
More information about the Kerberos
mailing list