[3200] in Kerberos
Re: Ticket cracking (Re: Is there Kerberos for VMS?)
daemon@ATHENA.MIT.EDU (Jon A. Rochlis)
Fri Apr 29 12:33:38 1994
To: ramus@nersc.gov (Joe Ramus)
Cc: kerberos@MIT.EDU
In-Reply-To: Your message of "Wed, 27 Apr 1994 11:09:15 PDT."
<9404271809.AA27924@windsail.nersc.gov>
Date: Fri, 29 Apr 1994 12:09:02 -0400
From: "Jon A. Rochlis" <jon@cam.ov.com>
I thought the design of Kerberos 5 prevents the cracking of an encrypted
ticket. Or at least makes it a lot more difficult.
One thing that V5 lets you do is require pre-authentication for a
principal, i.e. the princiapl must demonstrate knowledge of its
password/key before it can get an initial ticket. The V5 KDC also will
not issue server tickets for principals which require pre-auth, so you
can't get a ticket for your victim using your own ticket, and do the
previously mentioned off-line attack. With both of these features you
can then scan the logs for multiple failed pre-auth attempts or modify
the KDC to keep a count and perform some action (such as locking out
the principal or page someone) after too many bad pre-auth attempts.
-- Jon
