On Thu, 2003-02-20 at 00:15, John Rudd wrote: > On Wednesday, Feb 19, 2003, at 23:19 US/Pacific, Gordon Messmer wrote: > > > >> 1) the keys are encrypted in the KDC, not plain text > > > > You're mistaken. The KDC stores plain text passwords. The password is > > what is uses as the encryption key on tickets. How else do you think > > they are encrypted by the KDC and then decrypted only by the user > > requesting the TGT? > > http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#weakness > > Because the KDC knows the master key, and the master key is what is > used to _encrypt_the_database_.
Not a perfect scheme. The key can be got from a file or from the processes memory if you break into the system. It's mostly secure. > From what I recall, what the KDC stores isn't even "your encrypted > password". It stores a ticket that is encrypted with your password. That is not correct. The ticket is generated, and then encrypted with your password from the database. The ticket can not be stored pre-generated and pre-encrypted, because it contains information like the address from which the ticket is valid and the lifespan of the ticket. (Technically, the ticket is encrypted with a hashed form of your password, but since it's derived from the password and always the same, it's equivalent): http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#pwconvert > 1) KDC doesn't store authentication data unencrypted See above. The "plain text" password is stored. I'm not going to argue about how hard it is to get the password. The principal is still true: you must either store the password or send the password across the network for password based authentication. > >> 2) the mechanism is 'shared secret' based > > > > Which means that the server and the user both know the password. They > > share that secret. > > No. That is not the secret that they share. The shared secret is the > ticket granting ticket. Also, see above. The shared secret is the password's equivalent. ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
