man in the middle on MIT kerberos

Nicolas Williams Nicolas.Williams at
Fri Feb 27 14:42:59 EST 2009

On Thu, Feb 26, 2009 at 05:51:21PM +0530, Nikhil Mishra wrote:
> Is it possible to create a man in the middle in a kerberos environment , If
> I own admin privileges in all components of the traffic i.e ( windows
> KDC , windows based application , windows based client ) ?

In any trusted third party protocol, such as Kerberos and PKI, the
trusted third party can generally mount MITM attacks.  In PKI the
trusted third party (the CA) can do it by issuing certs with which it
can impersonate principals to which it has issued certs.  In Kerberos
the trusted third party (the KDC) can decrypt any ticket.  (More or
less; I'm making some simplifying assumptions here.)

More information about the krbdev mailing list