On Tue, Jan 08, 2002 at 09:05:21AM +0800, Kent Tong wrote: > Nico, > > Thanks for the reply.
[...] > Suppose that the lifetime of TGT1 is 2 hours and it is renewed before > it is expired and thus becomes TGT2. If it takes a hacker 3 hours to find > out the session key in TGT1 and he captures all the packets on the network, > then the hacker can decrypt the TGS exchange for the renewal and find out > the session key in TGT2? Then he can impersonate as Paul for the remaining > lifetime (1 hour) of TGT2 and get the next new session key when it is > renewed again? Well, yes. Similar problems arise in, for example, Kerberos password/key changing. This is a general problem in cryptography :) The best you can do is use algorythms that provide perfect forward security (PFS), throw away expired key material as soon as possible, re-key often and lookout for intruders. Neither the KDC exchanges nor the AP exchange provide PFS. For that the protocol would have to add, say, a Diffie-Hellman key exchange, which is not far fetched for the KDC exchanges (it's been discussed before), where DH can be retrofitted as a new pre-authentication type, but it can't be added to the AP exchange easily since all Kerberos apps today expect a single round-trip AP exchange. Adding PFS to the KDC exchanges would certainly improve the situation, and so would mixed key pre-auth types, but, in the end, if a hacker breaks root on some box, she's got access to all of that box, plus anything that users on that box do, plus the ability to snoop and work around PFS by finding the relevant key material before it's thrown away. Hey, security is difficult :) Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
