Path: utzoo!attcan!uunet!aplcen!uakari.primate.wisc.edu!ames!ig!bionet!agate!shelby!IFS.UMICH.EDU!billdo
From: billdo@IFS.UMICH.EDU (Bill Doster)
Newsgroups: comp.protocols.kerberos
Subject: Re: Why is initial user authentication done the way it is?
Message-ID: <9006141814.AA05284@ATHENA.MIT.EDU>
Date: 14 Jun 90 18:12:20 GMT
Sender: daemon@shelby.Stanford.EDU
Organization: The Internet
Lines: 29

> 	The short answer: Because this scenario is also vulnerable to a
> dictionary attack.  Suppose I wanted to break your password under the
> new scheme.  I just wait until you log in, recording your data request
> in part 1.  I now pretend to be Kerberos, and try and decrypt your
> initial request with each possible key until I succeed.  Once I have a
> key that successfully decodes your request, I have found your key.

While it's true that this scenario is also vulnerable to a dictionary
attack, it reduces the possibilty of attack from

	Anyone anywhere that speaks IP can at anytime attack any
	account at any installation that uses Kerberos.

to

	Anyone able to listen on the involved subnets must first
	wait for the targeted individual to sign-on and then
	record the that user's request.

While in absolute terms these may be equivalent, in terms of potential
likelihood, I think the number of probable attacks has been greatly
reduced.  There may be even better solutions to these type of problems
and I'm not particularly attached to any one solution so long as it
gets implemented.  My question then is what is the current solution
that Kerberos 5 *is* going to use?

Bill Doster
Univ. of Mich. -- Research Systems
billdo@ifs.umich.edu