[2933] in Kerberos
Re: About principals' secret keys & attacks
daemon@ATHENA.MIT.EDU (Scott Dawson)
Mon Dec 20 18:41:21 1993
To: Carlos Horowicz <carlos@athea.ar>
Cc: sdawson@engin.umich.edu, kerberos@MIT.EDU
In-Reply-To: Your message of "Mon, 20 Dec 1993 17:20:19 -0300."
Date: Mon, 20 Dec 1993 18:28:38 -0500
From: Scott Dawson <sdawson@engin.umich.edu>
> 1. I think there should be nothing "recognizable" if timestamps and/or random
> numbers go in the authenticator.
Timestamps are recognizable because I pretty much know what time it is
and if I decrypt and get anywhere near that time I know I've hit the
right key.
The thing is, in krb4 at least, what is in the authenticator is
something of the form { username, address, timestamp }Ku,s
The chaining works like this:
you get a tgt which looks like:
{ Ku,tgs , {Ttgs}Ktgs }Kuser
none of the packet contents here is recognizable if I just guess at Kuser.
However, you now send a message to the tgs asking to talk to service Y. When
you do this, you also send the authenticator for the tgs. What you send
looks like:
{ username, address, timestamp }Ku,tgs along with {Ttgs}Ktgs
So, here's the attack if I have sniffed your packets. I decrypt the
initial tgt using dictionary attack. I don't know that what I got was
any good. I use the Ku,tgs which I get to decrypt the authenticator
which you sent to the tgs. If I see { username, address, timestamp },
all of which are recognizable, then I have guessed your user key correctly.
If not, I move on to the next guess and repeat the procedure.
I can't do this though if I'm sitting here in Michigan and have no way
of sniffing your packets. The best I can do in that case is hit your
kerberos server and ask for a tgt. Then I keep decrypting and getting
some TGT which I can't recognize. The only way for me to see whether
it's good is to try it out (by trying to get a ticket for a specific
service). If I do this 10 billion times though, you might notice it and
start filtering my traffic.
> 2. Under krb5, does the attacker have less possibilities than here, to run
> a dictionary of possible passwords and maybe hit the password ?
not sure. I'm not familiar with krb5.
-Scott
