On Thu, Jan 31, 2002 at 08:41:40AM -0500, Nicolas Williams wrote: > NIS is public. Kerberos is not. With NIS you just query the NIS servers > and you've got the hashes to work with. With Kerberos you must sniff the > wire to gather ciphertext for cryptanalysis.
Only if the KDC is correctly configured, which it probably is not. MIT, Heimdal, and Windows 2000 implementations default with no pre- authentication turned on.[1] Also, even if preauthentication is on, one can still abuse the TGS exchange to get the material needed for a dictionary attack, unless the KDC administrator has been careful. > In the real world today most LANs are switched and corporate WANs tend > to be encrypted. This makes it rather difficult to snoop on the wires. > (In the Internet, as opposed to the intranet, WANs are not often > encrypted though.) So what? ARP poisoning can be used to steal the traffic even on switched networks. The most serious attacks come from the inside, where VPNs and other measures do nothing to reduce the risk. > So in the real world an attacker has to be more active to perform > dictionary attacks on Kerberos than on NIS. Yes, a little more. [snip] > > It also doesn't seem to matter if I use DES or 3DES, as dictionary > > attacks are far easier than DES. > > It does matter which enctype you use as slower enctypes slow down the > attacker. Correct. My rough measurements indicate that string-to-key and decrypt using DES3 is around 7 times slower than DES. RC4 (which Windows 2000 uses) seems to be roughly 1.5 times slower than DES. > > Has somebody implemented SRP as suggested in the paper? > > I don't know, but it certainly has been discussed. But it would be good > if someone did as SRP cannot be attacked passively AFAIU, short of a > cryptanalytic breakthrough. But SRP does not stop dictionary attacks > altogether as an attacker can still mount an active dictionary attack. We need SRP or PDM as a `preauthentication'[2] method. It has been mentioned that John Brezak and Ken Raeburn are working on an I-D for one or both of these. Let's hope they produce one soon! Active (online) dictionary attacks are easy to detect and are not a real risk, IMHO. Cheers, -- Jacques A. Vidrine <[EMAIL PROTECTED]> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] [1] How do you tune W2K to require preauthentication? [2] Neither actually provide preauthentication.
