On 10/29/2012 11:19 AM, [email protected] wrote: > So the security of the whole tunnel is based on the strength of the long-term > host key.
Yes. > Theoretically an attacker would be able to obtain a host TGT that is > encrypted with the host key because pre-authentication is in most cases not > required. On that TGT he can start offline attacks to get the key that was > used for encryption. If he gets the key he can decrypt other requests and is > able to get the session keys of other conversations and with the session key > he can get the subkey from the authenticator. Finally the attacker has all > information needed to rebuild the armor key and though is able to decrypt > FAST tunneled messages. Remember everything is theoretically regardless of > the time factor that is needed to find the correct host key. That sounds correct. An attacker who can mount a successful offline attack against a randomly chosen key would probably start with the realm's TGT key, of course. > Is there a special reason why a complete new key is created for armoring the > requests? Why isn't just the session key used? So that each FAST conversation uses a different armor key, even if it uses the same TGT for armor. That prevents an attacker from replaying a KDC response from one conversation into another. See the second-to-last paragraph of section 5.4. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
