Re: Kerberos DES encryption
- From: DaveMo <david.mowers@xxxxxxxxx>
- Date: 20 Apr 2007 08:57:11 -0700
On Apr 20, 3:11 am, "S. Pidgorny <MVP>" <slavi...@xxxxxxxxx> wrote:
Most integration guides recommend using DES encryption for Kerberos tickets
in UNIX/Linux interoperability scenarios.
I wonder what is the risk. It can be brute forced; probably even in the
lifetime of the ticket. But I'm not familiar with Kerberos specification
good enough to identify what the potential exposure will be.
Opinions appreciated.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
*http://sl.mvps.org*http://msmvps.com/blogs/sp*
You are correct in the risk. Service tickets are encrypted with the
DES key, so one approach would be to crack the key, retrieve the clear
text ticket, change the ticket to what you need for an exploit and
then re-present the ticket to the server. I think the same could be
done for the TGT, but I'm not as sure. If you accomplish the brute
force, then I don't think you would be restricted to the ticket
lifetime, you could simply change the lifetime.
I think most Linux/UNIX platforms now support something better then
DES such as 3DES or AES. I'd recommend using it if available and
getting an add-on if not.
HTH,
Dave
.
- Prev by Date: Re: Error issuing certificates from WS03 cert svc
- Next by Date: Re: Kerberos DES encryption
- Previous by thread: "Network Service" account is UNABLE to write to a network shared folder
- Next by thread: Re: Kerberos DES encryption
- Index(es):
Relevant Pages
|
