[29038] in Kerberos
Re: Is "SPN advertisement" or well-known SPNs a security hole?
daemon@ATHENA.MIT.EDU (Srinivas Kakde)
Mon Jan 14 22:31:26 2008
Date: Mon, 14 Jan 2008 16:00:11 -0800 (PST)
From: Srinivas Kakde <srinivas.kakde@yahoo.com>
To: jaltman@secure-endpoints.com
MIME-Version: 1.0
Message-ID: <673189.72562.qm@web46016.mail.sp1.yahoo.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Jeffrey,
Thank you for your response. Now I have more questions:
Jeffrey Altman wrote:
> It would be like walking down the street looking
> for an undercover police officer and instead finding a drug dealer.
You
> decide to authenticate the undercover officer by calling the police
> precinct but instead of using a phone number for the precinct that you
> obtained from the Verizon phone book you ask the drug dealer for the
> phone number of the precinct. When you call the provided number, his
> accomplice answers and confirms that he is in fact a police officer.
This example assumes that I don't already have a prior relationship
with the precinct. I do have prior relationship with the precinct.
When the precinct responds to a officer validation request from me they
always conclude their message with a secret phrase that only the
precinct and I know. This way I know if I'm being tricked. Is this not
like Kerberos?
Jeffrey Altman wrote:
> The security of the authentication is based upon the name. By asking
> you to authenticate to a name selected by the attacker, you can be
> tricked into using a KDC that is in fact under the control of the
> attacker.
Are you sure this is right? I think in Kerberos, knowledge of a
shared secret (not knowledge of the principal name) is the foundation
for trust? In the case of a AS-REQ/AS-REP exchange, what would the malicious KDC
use to encrypt the EncKDCRepPart of the KDC-REP such that the decrypted
nonce would match what the client supplied in the KDC-REQ?
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
