[37637] in Kerberos
Re: Kerberos and HTTP / HTTPS - Could Kerberos tickets be intercepted
daemon@ATHENA.MIT.EDU (Michael B Allen)
Wed Aug 24 12:35:35 2016
MIME-Version: 1.0
In-Reply-To: <57BD4065.80704@openfortress.nl>
From: Michael B Allen <ioplex@gmail.com>
Date: Wed, 24 Aug 2016 12:35:18 -0400
Message-ID: <CAGMFw4h4ptto+AYsLHhVY1SEEL7s8GAah6KPOOZU9WecDjJRQw@mail.gmail.com>
To: Rick van Rein <rick@openfortress.nl>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Aug 24, 2016 at 2:36 AM, Rick van Rein <rick@openfortress.nl> wrote:
> Hey Mike,
>
>> But it would be even better if the client could (or had the option to)
>> do authentication with the service directly and thus eliminate the
>> numerous dependencies for clients (DNS, KDC access, stale tickets,
>> time sync...).
>
> I doubt you could use Kerberos without these components involved.
> You might forego DNS if you configured your client (which is certainly
> not everyone's favourite solution). You need the KDC to obtain a
> short-lasting credential, which is pretty much a cornerstone of
> Kerberos security. The stale tickets and time sync come with that.
I'm proposing clients use the server as a surrogate for the KDC. So
the server would get a TGT on behalf of the client as well as a
service ticket (for itself) and return it to the client. The client
would then use that service ticket as normal. I understand that this
would all warrant new commands and logic.
Yes, this is all tangential to what you're doing.
>> I'm not sure if that is possible with HTTP being
>> stateless, but if is, it could be the basis for proper Internet
>> website security as well.
>
> It sounds to me like you are asking about preshared keys, which
> are accepted to be far less secure than the Kerberos road.
Unfortunately I don't know all the nomenclature so I'll duck this one.
Mike
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
