[6209] in Kerberos
Re: K4 Protections against password attacks?
daemon@ATHENA.MIT.EDU (Mike Friedman)
Sat Nov 11 10:31:28 1995
To: kerberos@MIT.EDU
Date: 10 Nov 1995 23:38:47 GMT
From: mikef@ack.berkeley.edu (Mike Friedman)
Jonathan Kamens (jik@jik.datasrv.co.il) wrote:
: That won't do you any good, because an attacker doesn't *need* to make
: "large numbers of TGT requests at very short intervals for the same
: principal" in order to attack that principal's password.
: All the attacker has to do is slightly modify kinit and the krb4 libraries
: to come up with a modified kinit client which tries to decrypt the same TGT
: over and over again with different passwords, until one of them works. In
: fact, one of my coworkers has a program which does this, and I'm sure that
: other people have done it as well. Preventing this type of attack is one
: of the primary purposes of the pre-authentication functionality in
: Kerberos 5.
I was aware of this, but since we've recently seen the more 'primitive' kind
of attack (which practically anyone with kinit can do), I was hoping for some
short-term relief.
: Switch to V5. You'll be glad you did :-).
I'm planning to, although the one production application we have here is K4-
based, so the clients still won't be able to use the new features.
Thanks.
------------------------------------------------------------------------
Mike Friedman mikef@ack.Berkeley.EDU
Data Communication & Network Services +1-510-642-1410
University of California at Berkeley http://www.Berkeley.EDU/~mikef
------------------------------------------------------------------------
