[24086] in Kerberos
Offline password attacks on AS-REQ
daemon@ATHENA.MIT.EDU (brian.joh@comcast.net)
Wed Jun 15 16:35:07 2005
From: brian.joh@comcast.net
To: kerberos@mit.edu
Date: Tue, 14 Jun 2005 19:55:05 +0000
Message-Id: <061420051955.1390.42AF3619000526D80000056E2200762194080106D2020E079D0D@comcast.net>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Errors-To: kerberos-bounces@mit.edu
Hi,
In my company, we're pitching a Kerberos-based solution to authenticate tens of thousands of Linux users to Active Directory. To increase the likelihood of approval by the higher-ups, we really need to eliminate all perceived security holes.
Although preauthentication helps some, Kerberos version 5 is susceptible to offline, brute force, password attacks on the initial AS-REQ. I saw some discussion about this from a few years ago in the archives, but nothing recently. Is there a solution to this issue yet? If not, what progress has been made, and what direction is being taken? I do have some familiarity with MIT Kerberos source code internals, having interfaced some the library's low-level profile and DNS SRV functions to hack out support for Microsoft's extended version of DNS SRV. Depending on how big the task is, I might be able to spend some time at work to code a solution.
Thanks.
Brian
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
