[38421] in Kerberos
Re: Kerberos n00b question.
daemon@ATHENA.MIT.EDU (Grant Taylor)
Mon Jan 7 13:06:57 2019
To: Kerberos <kerberos@mit.edu>
From: Grant Taylor <gtaylor@tnetconsulting.net>
Message-ID: <38a2963c-3abe-22ce-1946-9be90c757c6d@spamtrap.tnetconsulting.net>
Date: Mon, 7 Jan 2019 11:06:46 -0700
MIME-Version: 1.0
In-Reply-To: <87y37wqrq8.fsf@hope.eyrie.org>
Content-Type: multipart/mixed; boundary="===============7883652600043451621=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============7883652600043451621==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms090005080003020503060708"
This is a cryptographically signed message in MIME format.
--------------ms090005080003020503060708
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 01/07/2019 10:53 AM, Russ Allbery wrote:
> I don't think describing it as "in the clear" is quite right, but a=20
> default Kerberos configuration using enc-timestamp and no tunneling as =
> the preauth mechanism is somewhat vulnerable to packet capture followed=
=20
> by an off-line dictionary attack to recover the authentication key.
Sorry, "in the clear" may have been a poor choice of words. I was=20
meaning to imply "revealed more than desired in an untrusted ~> hostile=20
network", particularly in the context of between clients and the KDC.
> The standard solution for this is FAST, which protects the initial=20
> authentication against this attack. (You do need some other credential=
=20
> to set up the FAST tunnel, but you can use anonymous Diffie-Hellman via=
=20
> anonymous PKINIT, or you can use a randomized key.)
Would you please expand (what I assume is) the FAST acronym? I expect=20
that there will be quite a few phonetic collisions searching for "FAST".
> The attack still requires subsequent work; you can't just snoop the=20
> connection between the client and the KDC and immediately get credentia=
ls.=20
> The work factor is basically linked to the complexity of the client key=
,=20
> so it's not much of a worry for a randomized key but is a worry for=20
> user passwords.
Good to know. Thank you for explaining.
> Yes.
:-)
> I don't have a good answer for this, unfortunately.
Fair enough.
--=20
Grant. . . .
unix || die
--------------ms090005080003020503060708
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
Cy4wggVAMIIEKKADAgECAhEA01fiRe1k2R6LEQCcImIMYTANBgkqhkiG9w0BAQsFADCBlzEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0Eg
Q2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTgxMTE4MDAw
MDAwWhcNMTkxMTE4MjM1OTU5WjArMSkwJwYJKoZIhvcNAQkBFhpndGF5bG9yQHRuZXRjb25z
dWx0aW5nLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgOhvncDgc4KAlD
+pyhFpw6wCfeERlSOAXowjdTjlOR2zcIgzL0TM9A+hkSv2wsVh6fn6VvHGxKrLemReiGd7fQ
15Y9J/pxKOmShkw9DDtFsa18ozydp95X2IuzY8Z2JukxouqrfpSH4fOrrHLkOgvlFG4xaQHW
0KB8xUP5DFWyyZM5QCdq278GSJ5pUd+B6qmzwHESNF6syyvgLppXkFatLTz8pWf6eEngDA0Y
3fQ3Q2gnbgpryRhVQMa1GjQJ7LDroUGQhX2zBWePW+sShiTwo8jADYKsbgSGtvZ/42A8zxyg
s9YZMHQoCeeuLNuX/MBp9rCTl5nlzP3jGWQTC5ECAwEAAaOCAfAwggHsMB8GA1UdIwQYMBaA
FIKvbIz4xf6WYXzoHz0rcUhexIvAMB0GA1UdDgQWBBQg2PeEKxHWd4FaHe0T+gqAOWkC1jAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAXBggrBgEFBQcDBAYLKwYB
BAGyMQEDBQIwEQYJYIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQEB
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMFoGA1UdHwRT
MFEwT6BNoEuGSWh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNsaWVudEF1dGhl
bnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYsGCCsGAQUFBwEBBH8wfTBVBggrBgEF
BQcwAoZJaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVudGlj
YXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29t
b2RvY2EuY29tMCUGA1UdEQQeMByBGmd0YXlsb3JAdG5ldGNvbnN1bHRpbmcubmV0MA0GCSqG
SIb3DQEBCwUAA4IBAQCPxlHHG57PA5GUYlQuC8VHB7TcMQeEJKnB/S+bamyrck4vpIEaF9rG
EM+OnAQsJzSkSVHD2707jxh1ng0jrsH2+F9qNGTpCksXo0fMqm4tf28Ag092+CZ5sfdjVZ4E
ELG4xNhFZF9/aFaAY7RIeJ89Vvn6s6BnKsaAPjVB/sO+5gIm0BIeoVauq71ue6jS7o2Jn94o
BuAhjuh34gk/Wxzcku96MLmEwCY63GWWKVRYbqrDhqROmnQPdyrDYrU8uD0vb4SAdpSKfRqO
DrerlQgX3euyYqcnVJSA8Ec+NdiJrGKXW76C7DrTi7IxDgjIHL+DPyFgtj+p6wYOEkYJwKtp
MIIF5jCCA86gAwIBAgIQapvhODv/K2ufAdXZuKdSVjANBgkqhkiG9w0BAQwFADCBhTELMAkG
A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y
ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTMwMTEwMDAwMDAwWhcNMjgwMTA5MjM1OTU5WjCB
lzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH
U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBS
U0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+s55XrCh2dUAWxzgDmNPGGHYhUPMleQtMtaDRfTpY
PpynMS6n9jR22YRq2tA9NEjk6vW7rN/5sYFLIP1of3l0NKZ6fLWfF2VgJ5cijKYy/qlAckY1
wgOkUMgzKlWlVJGyK+UlNEQ1/5ErCsHq9x9aU/x1KwTdF/LCrT03Rl/FwFrf1XTCwa2QZYL5
5AqLPikFlgqOtzk06kb2qvGlnHJvijjI03BOrNpo+kZGpcHsgyO1/u1OZTaOo8wvEU17VVeP
1cHWse9tGKTDyUGg2hJZjrqck39UIm/nKbpDSZ0JsMoIw/JtOOg0JC56VzQgBo7ictReTQE5
LFLG3yQK+xS1AgMBAAGjggE8MIIBODAfBgNVHSMEGDAWgBS7r34CPfqm8TyEjq3uOJjs2TIy
1DAdBgNVHQ4EFgQUgq9sjPjF/pZhfOgfPStxSF7Ei8AwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwEQYDVR0gBAowCDAGBgRVHSAAMEwGA1UdHwRFMEMwQaA/oD2GO2h0
dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNlcnRpZmljYXRpb25BdXRob3JpdHku
Y3JsMHEGCCsGAQUFBwEBBGUwYzA7BggrBgEFBQcwAoYvaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBQWRkVHJ1c3RDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNv
bW9kb2NhLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAeFyygSg0TzzuX1bOn5dW7I+iaxf28/ZJ
CAbU2C81zd9A/tNx4+jsQgwRGiHjZrAYayZrrm78hOx7aEpkfNPQIHGG6Fvq3EzWf/Lvx7/h
k6zSPwIal9v5IkDcZoFD7f3iT7PdkHJY9B51csvU50rxpEg1OyOT8fk2zvvPBuM4qQNqbGWl
nhMpIMwpWZT89RY0wpJO+2V6eXEGGHsROs3njeP9DqqqAJaBa4wBeKOdGCWn1/Jp2oY6dyNm
NppI4ZNMUH4Tam85S1j6E95u4+1Nuru84OrMIzqvISE2HN/56ebTOWlcrurffade2022O/tU
U1gb4jfWCcyvB8czm12FgX/y/lRjmDbEA08QJNB2729Y+io1IYO3ztveBdvUCIYZojTq/OCR
6MvnzS6X72HP0PRLRTiOSEmIDsS5N5w/8IW1Hva5hEFy6fDAfd9yI+O+IMMAj1KcL/Zo9jzJ
16HO5m60ttl1Enk8MQkz/W3JlHaeI5iKFn4UJu1/cP2YHXYPiWf2JyBzsLBrGk1II+3yL8ao
rYew6CQvdVifC3HtwlSam9V1niiCfOBe2C12TdKGu05LWIA3ZkFcWJGaNXOZ6Ggyh/TqvXG5
v7zmEVDNXFnHn9tFpMpOUvxhcsjycBtH0dZ0WrNw6gH+HF8TIhCnH3+zzWuDN0Rk6h9KVkfK
ehIxggQ4MIIENAIBATCBrTCBlzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFu
Y2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx
PTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUg
RW1haWwgQ0ECEQDTV+JF7WTZHosRAJwiYgxhMA0GCWCGSAFlAwQCAQUAoIICWzAYBgkqhkiG
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xOTAxMDcxODA2NDZaMC8GCSqG
SIb3DQEJBDEiBCBRXABxTi5sKOcHT0vt0Tciq+uA02ePwC9r+PCPp/3GGjBsBgkqhkiG9w0B
CQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcN
AwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG+BgkrBgEE
AYI3EAQxgbAwga0wgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0
ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYD
VQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls
IENBAhEA01fiRe1k2R6LEQCcImIMYTCBwAYLKoZIhvcNAQkQAgsxgbCgga0wgZcxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx
GjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVu
dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEA01fiRe1k2R6LEQCcImIM
YTANBgkqhkiG9w0BAQEFAASCAQB4BH0twqFlz9L58IoTtsP9fMdVQQkpv9SLHRt275btHglH
MmbYn8rxeVnn2pvxTAq9dGCLvOiDMuEKerxj1t7Bx4mDDLPho4XyGCzhix7TaZhs1rSmA3Rk
P6p2RIu+NBABHyjD5tK+huYjgMhHCV8durZ3WB2qVOyl9MlyoZXrbc8W505p4i3+bCqpBzDk
pQTi6Y7ffKzKcWpSVplK9CYCCYsKKEvra8n5Qq/mB6H4s2FBeqi2bK/WGt6KKT74nH4HQF/a
5Y37HYSob+kJnMrGX9X+298U5Xw1wIbYeIh5JKC0cd0W23mEdVXseRnb8MwaxIBwEj5dGtEJ
JQZxo2jKAAAAAAAA
--------------ms090005080003020503060708--
--===============7883652600043451621==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============7883652600043451621==--
