[29084] in Kerberos
Re: Is "SPN advertisement" or well-known SPNs a security hole?
daemon@ATHENA.MIT.EDU (Srinivas Kakde)
Thu Jan 17 16:59:44 2008
Date: Thu, 17 Jan 2008 10:13:28 -0800 (PST)
From: Srinivas Kakde <srinivas.kakde@yahoo.com>
To: Simon Wilkinson <simon@sxw.org.uk>
MIME-Version: 1.0
Message-ID: <637590.82882.qm@web46004.mail.sp1.yahoo.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ok. Thank you.
----- Original Message ----
From: Simon Wilkinson <simon@sxw.org.uk>
To: Srinivas Kakde <srinivas.kakde@yahoo.com>
Cc: kerberos@mit.edu
Sent: Thursday, January 17, 2008 2:44:12 AM
Subject: Re: Is "SPN advertisement" or well-known SPNs a security hole?
On 16 Jan 2008, at 21:32, Srinivas Kakde wrote:
> I
> think there must be equivalence between permission required create a
> principal on
> a KDC and the permission required associate the service principal
> name
> with network binding information. I think this is an interesting
area
> of study.
See the domain based naming work being done in the IETF Kitten WG -
this allows the KDC to associate a specific SPN with a domain-based-
name.
> Attacker that is able obtain control of a KDC or cross-realm keys
will
> be able to cause very serious problems
The second part of this isn't strictly true. An attacker than
compromises a KDC that you cross-realm with, or the keys for that
cross-realm relationship, can only impersonate principals in the
foreign realm. Normally, this doesn't have any significant impact on
the overall security of local services, providing there's no way for
an attacker to pretend that a local service has an SPN in that
foreign realm. This is the attack that Jeff was describing.
Simon.
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
