[24081] in Kerberos
Offline password attacks on AS-REQ
daemon@ATHENA.MIT.EDU (brian.joh@comcast.net)
Wed Jun 15 10:05:18 2005
From: brian.joh@comcast.net
To: kerberos@mit.edu
Date: Wed, 15 Jun 2005 14:04:19 +0000
Message-Id: <061520051404.19661.42B03562000F3E9B00004CCD2200763704080106D2020E079D0D@comcast.net>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Errors-To: kerberos-bounces@mit.edu
Hi,
In my company, we're pitching a Kerberos-based solution to authenticate tens of thousands of Linux users to Active Directory. To increase the likelihood of approval by the higher-ups, we really need to eliminate all perceived security holes.
Although preauthentication helps some, Kerberos version 5 is susceptible to offline, brute force, password attacks on the initial AS-REQ. I saw some discussion about this from a few years ago in the archives, but nothing recently. Is there a solution to this issue yet? If not, what progress has been made, and what direction is being taken? I do have some familiarity with MIT Kerberos source code internals, having interfaced some the library's low-level profile and DNS SRV functions to hack out support for Microsoft's extended version of DNS SRV. Depending on how big the task is, I might be able to spend some time at work to code a solution.
Thanks.
Brian
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
