[32760] in Kerberos
Re: Question on mutual authentication
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Oct 2 07:44:18 2010
From: Greg Hudson <ghudson@mit.edu>
To: SANDERS Miguel <miguel.sanders@arcelormittal.com>
In-Reply-To: <7DF29B50FFF41848BB2281EC2E71A206016D9809@GEN-MXB-V04.msad.arcelor.net>
Date: Sat, 02 Oct 2010 07:44:10 -0400
Message-ID: <1286019850.20521.1204.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, 2010-10-02 at 05:01 -0400, SANDERS Miguel wrote:
> I have a question concerning the mutual authentication in the kerberos
> flow. I know that the client proves his identity to the AS by using
> the PA-ENC-TIMESTAMP (preauthentication). Similarly, the authenticator
> in the TGS-REQ is used to prove the client's identity to the TGS. But
> how does the AS prove his identity to the client in the AS-REP
> message? Same question for the TGS in the TGS-REP message.
The AS or TGS (which are typically just referred to as the KDC) doesn't
exactly prove its identity; it proves its knowledge of the client's
long-term key. If the fake KDC does not know the client's long-term key
(or TGT session key for a TGS request), it will be unable to produce a
reply which successfully decrypts.
It's important to note that when a user is logging into a host, this
standard of proof is of no value to the host, as the user could be
colluding with a fake KDC. This is the classic "Zanarotti attack." To
prevent this attack, a host makes the KDC prove its knowledge of the
long-term key in the host's keytab, by making a TGS request to that
service principal and verifying the result.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
