[2932] in Kerberos
Re: About principals' secret keys & attacks
daemon@ATHENA.MIT.EDU (Carlos Horowicz)
Mon Dec 20 16:22:21 1993
From: Carlos Horowicz <carlos@athea.ar>
To: sdawson@engin.umich.edu (Scott Dawson)
Date: Mon, 20 Dec 1993 17:20:19 -0300 (ARG)
Cc: kerberos@MIT.EDU
In-Reply-To: <9312201909.AA04778@limbo.engin.umich.edu> from "Scott Dawson" at Dec 20, 93 02:09:05 pm
>
>
> > > 2. If an attacker wants to break a principal's secret key, is there any
> > > way to identify the attack, for example, by exceeding some number of
> > > trials ?
> >
> > Depends how the attacker goes about trying.. The attacker could, in
> > the kerberos 4 algorithm, request a TGT for a specific
> > user/service/etc. and take the data it gets from the KDC offline, and
> > then tries to break it,m until it finds the appropriate DES key or
> > passphrase. Then they can go live again and ask for this same
> > principal, and they now have the key to open the packet, assuming
> > the key hasn't been changed.
>
> I thought that what you get back from Kerberos will be unrecognizable
> when decrypted which would make this type of dictionary attack on the user
> passphrase impossible. You'd have to actually try to use the ticket and
> see if it works.
>
> It's easier if you can sniff traffic of the user you are trying to
> hack because eventually the user will encrypt something which is recognizable
> (usually in an authenticator). Then you can chain down from the original TGT
> to the authenticator and when you get recognizable stuff out you know you've
> got their key.
>
> -Scott
>
1. I think there should be nothing "recognizable" if timestamps and/or random
numbers go in the authenticator.
2. Under krb5, does the attacker have less possibilities than here, to run
a dictionary of possible passwords and maybe hit the password ?
Carlos
