On Nov 2, 2006, at 17:48, Henry B. Hotz wrote: > OTOH, it sounds like a fun idea to me. Do the cryptosystem RFC's > specify the default salt?
Actually, the default salt, derived from the realm and principal name, is specified in the main Kerberos protocol document, and is invariant across cryptosystems; the cryptosystem RFCs don't know anything about principal names or realm names. What gets done with the salt string is defined per cryptosystem, though. Using a fixed per-principal salt string allows an attacker to convert a standard password-cracking dictionary into a set of keys for a given principal, and try that set of keys repeatedly despite the user changing her password. If the salt string (which is supposed to be UTF-8 if I recall correctly) is randomized and long enough, then any key of N bits should be possible[*] even if the password is in the dictionary, and the attacker can only precompute his key list for a given salt string. So it's probably worth considering despite the bugs of one implementation. Ken [*] Assuming the cryptosystem actually uses the salt string, and incorporates it properly, of course. The RC4 cryptosystem, for example, does not use it, and thus the key is derived from the password alone, and a dictionary can be converted to keys that can be tried for any user in any realm. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
