random to key from password

[Nicolas Williams]

On Mon, Sep 27, 2010 at 04:42:14PM -0400, Sam Hartman wrote:
> The KDC prefers AES to DES.
> So, you'll never be able to use the DES key for much, but it exists and
> you can somehow get some text to attack it.

How would you get that ciphertext?  I think the best you could do is
construct garbage ticket en-parts and fling them at a service oracle,
see what you get back in the KRB-ERROR (and if there's useful leaks
there then we have a problem).  (Now would be a good time to make sure
that there's no CBC (or CTS, for less than 1 block of text) padding
leaks here...)

> However if you want to decrypt tickets, you're going to need the AES
> key.

Who wants to decrypt tickets?  I suspect the attacker will want to
_mint_ tickets.  Yes, yes, it's all the same given a symmetric cipher :)

Nico
--