[4772] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Bellovin and Merritt ('91) question

daemon@ATHENA.MIT.EDU (warlord@MIT.EDU)
Thu Mar 9 13:29:21 1995

From: warlord@MIT.EDU
Date: Thu, 9 Mar 1995 13:07:09 -0500
To: mctajdi@dct.ac.uk
Cc: kerberos@MIT.EDU
In-Reply-To: "[4769] in Kerberos"

> Am I missing some point, or is this just aimed at less competent
> attackers who send a request to the KDC pretending to be the other
> user, and thus get sent the tickets encrypted in the other user's
> login key ?

The attack that is protected against is not network sniffing, but
someone asking for your principal from the kdc.  For example, I can go
to the KDC and request the key for rcmd.kerberos@ATHENA.MIT.EDU to get
the kerberos server's service key.  I can then take that response
offline and attempt to crack the DES key, which I can then use to
break into the machine.

I can be anywhere in the world and use this attack.  If it requires
pre-authentication, then I have to actually be on the network and
sniff the pre-authentication packet in order for this attack to work.
The latter is much more difficult to do.

The paper addresses only the former attack, which is much easier to
accomplish.

Does this help?

-derek

home help back first fref pref prev next nref lref last post