KDC TGT enctype selection question
Benjamin Kaduk
kaduk at mit.edu
Mon Dec 4 17:39:22 EST 2023
On Mon, Dec 04, 2023 at 05:23:17PM -0500, Ken Hornstein via krbdev wrote:
> >I would go even further and say that it is a design assumption of MIT krb5
> >that all KDCs are just separate instances of the same logical instance and are
> >assumed to behave "identically" (i.e., with identical configuration).
>
> I'm going to reiterate my earlier statement: THIS IS NOT AN ANSWER TO MY
> QUESTION.
I agree, which is why I wrote more.
> >As Nico says, this particular case seems like the KDC knowing that the enctype
> >list is sorted strongest-to-weakest, and also knowing that "the KDC" is the
> >only entity that can create this ciphertext, so enforcing that the strongest
> >key is being used and preventing by construction any brute-force or other
> >attacks on krbtgt keys of other enctypes.
>
> I'm a little unclear how you could try brute-forcing the "wrong" TGT key
> in this situation without submitting 2^keylength TGT requests. Again,
> it is possible I am missing something.
Brute-force is perhaps not the most likely attack scenario here, but it is an
easy one to describe. (AFAIK, yes, you would need to submit many TGS
requests to perform such an attack.)
Getting back to your initial question, though ... as I see it, Nico, Sam, and
I have been saying basically the same thing in different words and I think it
does answer your question. Do you still think you have an unanswered
question? (If so, what is it?)
-Ben
More information about the krbdev
mailing list