[16392] in Kerberos_V5_Development
Re: random to key from password
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon Sep 27 16:59:04 2010
Date: Mon, 27 Sep 2010 15:56:59 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Sam Hartman <hartmans@mit.edu>
Message-ID: <20100927205658.GQ9501@oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <tslaan2vryx.fsf@live.suchdamage.org>
Cc: lha@h5l.org, Russ Allbery <rra@stanford.edu>, krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Sep 27, 2010 at 04:42:14PM -0400, Sam Hartman wrote:
> The KDC prefers AES to DES.
> So, you'll never be able to use the DES key for much, but it exists and
> you can somehow get some text to attack it.
How would you get that ciphertext? I think the best you could do is
construct garbage ticket en-parts and fling them at a service oracle,
see what you get back in the KRB-ERROR (and if there's useful leaks
there then we have a problem). (Now would be a good time to make sure
that there's no CBC (or CTS, for less than 1 block of text) padding
leaks here...)
> However if you want to decrypt tickets, you're going to need the AES
> key.
Who wants to decrypt tickets? I suspect the attacker will want to
_mint_ tickets. Yes, yes, it's all the same given a symmetric cipher :)
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
