On Sat, 9 Feb 2002, Marcus Watts wrote:
> Here is an incomplete list of weaknesses that you might find more useful > to consider: > (1) Most production kerberos realms still use regular DES and no preauth. > This means they should not be used to protect any secret > worth more than $100,000. I'm studying Kerberos for my graduate thesis, and I'm having problems understanding the utility in preauthentication. It has been argued that preauthentication helps prevent password guessing attacks (originally: Bellovin, Merritt, "Limitations...", 1991) , but I can't understand how. Here's a quote from Tom Wu's paper (http://theory.stanford.edu/~tjw/krbpass.html): "Kerberos V5? Kerberos V5 introduces preauthentication, which requires the user to provide some evidence that she knows the shared key K before the authentication server will issue a TGT. This evidence comes in the form of an encrypted timestamp t: C --> S: R, E[K](t) C <-- S: E[K](TGT) The server S sends its reply to the client C only if t decrypts to the correct time within some predefined tolerance. Although this prevents an attacker from requesting TGTs, it does not protect against an eavesdropper who captures either E[K](t) or E[K](TGT). Either of those quantities constitutes verifiable plaintext that can be used to mount a dictionary attack. While this is an improvement relative to Kerberos V4, an attacker with a network sniffer can still carry out the same off-line dictionary attack against any authentication requests captured over the network [9]." In addition, I sniffed the initial authentication packets with ethereal on my Linux network, and I see one of the datagrams is sending the Pre-Authentication via "PA-ENC-TIMESTAMP". Pretty neat, but how does it encrypt the timestamp? It must be using a key which is known by the Kerberos server (otherwise, how would it decrypt)? And if it is using the user's password (even before getting a TGT), how does that resist password guessing attacks? Thanks for any help on this. -ian _______________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos