Re: Can Kerberos be cracked??

From: Robin Garner (robin.garner@crsrehab.gov.au)
Date: 11/01/01


Date: 1 Nov 2001 06:58:33 -0000
Message-ID: <20011101065833.5120.qmail@mail.securityfocus.com>
From: Robin Garner <robin.garner@crsrehab.gov.au>
To: focus-ms@securityfocus.com
Subject: Re: Can Kerberos be cracked??


('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus
In-Reply-To: <000901c15b5a$b0c17fe0$0b00010a@lauradominion.com>

One recent paper on cracking Kerberos is

"A Real-World Analysis of Kerberos Password
Security "
Thomas Wu, Computer Science Department
Stanford University

http://citeseer.nj.nec.com/418833.html

http://www.isoc.org/isoc/conferences/ndss/99/procee
dings/papers/wu.pdf

Wu manages to crack over 2,000 passwords from a
user population of 25,000 on the Stanford Kerberos
v4 network in a 2 week period. He notes that the pre-
authentication in Krb v5 strengthens the
authentication exchange somewhat, but the same
attack is possible; simply more time consuming.

Robin