-----BEGIN PGP SIGNED MESSAGE----- In article <[EMAIL PROTECTED]>, Danny Kruitbosch <[EMAIL PROTECTED]> wrote: >Hi, > >I've got 2 questions: > >1. If a passive attacker who has successfully obtained a user's password, >how would the attacker be able to read the encrypted messages between the >client and server (KRB-PRIV messages). How would he decrypt them? What >steps should he follow? Can such a thing be prevented? > >2. How would a active attacker who has succesfully obtained a user's >password insert messages of it's liking in the communication between >client and server (KRB-SAFE messages)? > > >Any input on this would be great! > >
- - Neither of these things are possible with just the user's password. The data in these messages is encrypted with a session key that's included in the service ticket obtained to access the service. Of course if you have the user's password and they are on a machine that supports multiple logins, you can login and grab their credential cache. - - Booker C. Bense -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPPkK0wD83u1ILnWNAQEOoAP7BoAzMxOV8pF4z5cH5KDHBsh9xzVeC9qQ vg7cMFnCJMitkPIxp7fxXlB9G4m12z54glkEbOhzlWKsnGdUw2sPhSxeYbA3h8X2 dT+D4suHwzQEa3FiSG6r45eAYg1YEZbYK6ZpcBd+e2RAlk+1B6MFeyVWeTqfUSuY 6+r+WWVIL7E= =6+Fk -----END PGP SIGNATURE----- -- ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
