[36136] in Kerberos
Re: pre-authentication attacks
daemon@ATHENA.MIT.EDU (Simo Sorce)
Sun May 18 12:57:25 2014
From: Simo Sorce <simo@redhat.com>
To: Russ Allbery <eagle@eyrie.org>
In-Reply-To: <87y4y4yupf.fsf@windlord.stanford.edu>
Date: Sun, 18 May 2014 12:57:03 -0400
Message-ID: <1400432223.3833.2.camel@willson.li.ssimo.org>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 2014-05-14 at 13:24 -0700, Russ Allbery wrote:
> Greg Hudson <ghudson@mit.edu> writes:
>
> > * The AES enctypes have an intentionally expensive string-to-key
> > function, making brute-force password attacks more expensive by a
> > significant but constant factor.
>
> The one caveat I'll add to this, though, is that "intentionally expensive"
> changes over time. Current crypto best practices would use about 3x as
> many rounds as the AES enctype specifies as the default, and would use
> per-principal salt.
>
> The Kerberos protocol permits the server to tell the client both the salt
> and the rounds, so you could dynamically adjust the rounds and use
> per-principal salt within the protocol (or, even better, randomize the
> salt on every password change). However, I don't know if anyone
> implements the tools required to manage this properly, or if typical
> clients would cope.
The FreeIPA project uses random salts since when we started, it seem all
clients we know of cope just fine.
We do not change rounds, so I can't speak about changing that.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
