On 01/07/2019 10:53 AM, Russ Allbery wrote:
I don't think describing it as "in the clear" is quite right, but a default Kerberos configuration using enc-timestamp and no tunneling as the preauth mechanism is somewhat vulnerable to packet capture followed by an off-line dictionary attack to recover the authentication key.
Sorry, "in the clear" may have been a poor choice of words. I was meaning to imply "revealed more than desired in an untrusted ~> hostile network", particularly in the context of between clients and the KDC.
The standard solution for this is FAST, which protects the initial authentication against this attack. (You do need some other credential to set up the FAST tunnel, but you can use anonymous Diffie-Hellman via anonymous PKINIT, or you can use a randomized key.)
Would you please expand (what I assume is) the FAST acronym? I expect that there will be quite a few phonetic collisions searching for "FAST".
The attack still requires subsequent work; you can't just snoop the connection between the client and the KDC and immediately get credentials. The work factor is basically linked to the complexity of the client key, so it's not much of a worry for a randomized key but is a worry for user passwords.
Good to know. Thank you for explaining.
Yes.
:-)
I don't have a good answer for this, unfortunately.
Fair enough. -- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
