[2931] in Kerberos
Re: About principals' secret keys & attacks
daemon@ATHENA.MIT.EDU (Scott Dawson)
Mon Dec 20 14:29:13 1993
To: Derek Atkins <warlord@MIT.EDU>
Cc: Carlos Horowicz <carlos@athea.ar>, kerberos@MIT.EDU,
In-Reply-To: Your message of "Fri, 17 Dec 1993 15:19:09 EST."
Date: Mon, 20 Dec 1993 14:09:05 -0500
From: Scott Dawson <sdawson@engin.umich.edu>
> > 2. If an attacker wants to break a principal's secret key, is there any
> > way to identify the attack, for example, by exceeding some number of
> > trials ?
>
> Depends how the attacker goes about trying.. The attacker could, in
> the kerberos 4 algorithm, request a TGT for a specific
> user/service/etc. and take the data it gets from the KDC offline, and
> then tries to break it,m until it finds the appropriate DES key or
> passphrase. Then they can go live again and ask for this same
> principal, and they now have the key to open the packet, assuming
> the key hasn't been changed.
I thought that what you get back from Kerberos will be unrecognizable
when decrypted which would make this type of dictionary attack on the user
passphrase impossible. You'd have to actually try to use the ticket and
see if it works.
It's easier if you can sniff traffic of the user you are trying to
hack because eventually the user will encrypt something which is recognizable
(usually in an authenticator). Then you can chain down from the original TGT
to the authenticator and when you get recognizable stuff out you know you've
got their key.
-Scott
