Em Thu, Jan 31, 2002 at 09:34:54AM -0500, Nicolas Williams escreveu: > But with Kerberos you can detect an active attack where an attacker is > doing many AS-REQs to collect tickets on which to run dictionary > attacks, and that can't be done anyways if you require pre-auth.
He is just doing that because it's possible and, more important, feasable. I think you are placing too much trust on the network. Yes, we can detect such an attack with proper tools (kerberos itself could detect this and warn us, just watch for principals that request the tgt only and nothing else, no? Just a quick thought.). But it's like using a weak lock on our front door and keeping an eye on it instead of using a stronger lock and having a good night of sleep. > Yes, but you're forcing the attacker to be more active and so you can > try to detect her. "But I switched to kerberos so that, among other things, I wouldn't have to worry about sniffers" :) > And it's possible because Kerberos was designed with extensible pre-auth > in mind. So there's nothing wrong with Kerberos, see? You can take issue > with sites that do not require pre-auth and you can take issue with the > good old pa-enc-timestamp, but Kerberos itself is just fine. And you > have an upgrade path for new pre-auth types, whereas with NIS the only > upgrade is to switch technologies altogether (yes, you can switch to I now think you really missed my smiley next to the text where I first compared NIS and Kerberos. I was just pointing out that even kerberos, this new (relatively) thing people are using, with single sign on and many other nice features (such as extensibility) has this little thing in common with NIS, which so many people hate (me included) and wrongly thought was solved, since making sniffers useless was one of the goals of the original paper. > IIRC, Microsoft supports smartcard pre-auth. I don't have the hardware. > MIT krb5 has some generic otp/challenge-response code (SAM) and I believe > there are patches (to MIT krb5 1.1.1) floating around to enable SecurID > pre-auth. Cool > > Heimdal krb5 has OTP support. > > If you're so concerned, write patches to MIT and/or Heimdal to add > support for SRP pre-auth. I don't have the skills for that, I hope this doesn't forbid me of asking questions about these things. > Also, you can implement password quality checks at the KDC and you can > force password aging as mitigation for snoop+dictionary attacks on weak > passwords. This is the best workaround we can have for now I guess.
