Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!sdd.hp.com!spool.mu.edu!agate!stanford.edu!B.GP.CS.CMU.EDU!mdl
From: mdl@B.GP.CS.CMU.EDU (Mark Lillibridge)
Newsgroups: comp.protocols.kerberos
Subject: Verifying passwords without getting new tickets
Message-ID: <9105201808.AA10941@ATHENA.MIT.EDU>
Date: 20 May 91 17:07:21 GMT
Article-I.D.: ATHENA.9105201808.AA10941
References: <9105180827.AA13470@steve-dallas.MIT.EDU>
Sender: news@shelby.stanford.edu (USENET News System)
Organization: Internet-USENET Gateway at Stanford University
Lines: 20


>   It is true that the password is never sent over the wire.  However,
>   this does not prevent dictionary attacks.  I can request from your
>   kerberos server a TGT for you, and then attack it in the privacy of my
>   own host in whatever way I want.  Once I can decrypt your TGT, I
>   effectively have your password, except I can't use kinit, since
>   stringtokey is irreversible.  And in this whole process, only one TGT
>   request will be logged.  There have been discussions on this list
>   about how to prevent this type of attack, but I don't know what was
>   adopted for krb5, if anything.
>
>		   Marc

	It is impossible to protect against this kind of attack without
radically altering kerberos.  (i.e., adding random #'s at both ends or
using public-key methods) Note that it is not even necessary ask for a
TGT for X to do a dictionary attack against X.  All you need to do is
eavesdrop on X logging in once.

							- Mark Lillibridge