On Thu, Jan 31, 2002 at 11:23:34AM -0500, Nicolas Williams wrote: [snip -- most of your response snipped, because it is clear that we simply disagree. in fact, my response here is laregly tangential.] > On Thu, Jan 31, 2002 at 09:42:51AM -0600, Jacques A. Vidrine wrote: > > On Thu, Jan 31, 2002 at 09:56:47AM -0500, Nicolas Williams wrote: > > = Even with preauthentication, you can still accumulate ciphertext > > _without_ eavesdropping unless the administrator has taken special > > precautions: precautions which (like preauthentication) are not the > > default policy in new installations of MIT, Heimdal, or Windows 2000 > > KDCs.
By the way, someone dropped me a line to inform me that preauthentication is on by default with Windows 2000. > The original poster wanted to > know whether Kerberos is more secure than NIS. I admit that I was not responding to the original poster, but rather to your comments about dictionary attacks not being practical versus Kerberos 5. > > The word `preauthentication' implies that the AS-REQ message > > authenticates the user to the KDC. Neither SRP nor PDM provide > > authentication to the KDC in a two-message exchange. > > Ah, yes. True. Multi-round-trip pre-auth is acceptable to me and nothing > in RFC1510 prevents multi-round-trip pre-auth designs. You miss the point again :-) With SRP or PDM, I do not believe that preauthentication is necessary. The primary motivation [1] for preauthentication was to prevent the type of attack in which the attacker requests TGTs en masse. Using SRP or PDM as a preauthentication method prevents this same attack from succeeding even with just a two-message exchange, because the messages of such protocols are not susceptible to a dictionary attack. i.e. the attacker can still request and intercept messages all day long, but the messages don't contain any known plaintext encrypted with a key derived from the password and are therefore useless. Cheers, -- Jacques A. Vidrine <[EMAIL PROTECTED]> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] [1] There are other useful features of preauthentication that would be lost with a two-message SRP/PDM preauthentication method. The KDC cannot then distinguish between successful and failed attempts, so implementing `last login' or `X failed login attempts' fields at the KDC is no longer possible.
