[39450] in Kerberos
Re: is there a way to detect if user is using same incorrect password
daemon@ATHENA.MIT.EDU (Brent Kimberley via Kerberos)
Sat Aug 10 07:35:07 2024
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, Jim Shi <hjshi@yahoo.com>
CC: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Sat, 10 Aug 2024 11:33:40 +0000
Message-ID: <YT3PR01MB1054400E3B24F617DB0DAC717FABB2@YT3PR01MB10544.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <202408100103.47A131bX008296@hedwig.cmf.nrl.navy.mil>
Content-Language: en-US
MIME-Version: 1.0
From: Brent Kimberley via Kerberos <kerberos@mit.edu>
Reply-To: Brent Kimberley <Brent.Kimberley@Durham.ca>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
The definition of an argon salt is predicated on a nonce - number used once. Reusing the salt, changes the definition.
Net result. The overall security will degrade.
Cpu and disk load will increase. Your OpEx and CapEx demand will increase. Your contingency reseeve demand will increase. The quality of the data and logic will degrade. The revised security proof would need to be updated and peer reviewed. And, your historians will have more facts to play with...
________________________________
From: Kerberos <kerberos-bounces@mit.edu> on behalf of Ken Hornstein via Kerberos <kerberos@mit.edu>
Sent: Friday, August 9, 2024 9:03:01 PM
To: Jim Shi <hjshi@yahoo.com>
Cc: kerberos@mit.edu <kerberos@mit.edu>
Subject: Re: is there a way to detect if user is using same incorrect password in authentication
>Hi, we have a required to detect if a client is using same incorrect
>password in in authentication against KDC. Is it possible the KDC
>server can determine if client is using same incorrect password? Thanks
Ouch, is this some dang compliance requirement? I thought I had dealt with
SO MANY weird compliance issues, but that's a new one to me. I'm interested
in where this is coming from. If I understand you, it seems like you mean
that a single client is repeating the same incorrect pasword over and over.
If you mean that different clients are trying to use the the same incorrect
password, I don't believe that's possible (nor do I understand why that
would be a requirement). Upon further thought, this seems like a completely
ridiculous requirement and I cannot imagine why anyone would ask for it.
I _think_, in theory ... my first guess as to what you mean is possible.
But it won't be trivial. I believe you could accomplish this by using
encryped timestamp preauth, detecting when a wrong password is seen,
remembering that on the KDC, and then sending the same encrypted timestamp
back to the client upon further password requests and detecting if the
response was the same. That would be a lot of code and have issues if
the requests went to different KDCs. It's very possible I could be wrong
about that. And again, that only works with requests from the SAME client
due to password salting.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos<https://mailman.mit.edu/mailman/listinfo/kerberos>
THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, re-transmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
