[1771] in Kerberos_V5_Development
Re: protocol flaw (160 lines) (was: krbdev vs krbcore)
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Fri Sep 20 18:41:51 1996
Date: Fri, 20 Sep 1996 18:41:46 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: marc@MIT.EDU
Cc: don@cam.ov.com, krbcore@MIT.EDU
In-Reply-To: <199609202212.SAA14702@beeblebrox.MIT.EDU> (message from Marc
Horowitz on Fri, 20 Sep 1996 18:12:06 EDT)
I like Marc's suggestions. This one:
Or, you could create a new hesiod map which is keyed by a
cryptographic hash of the username.
struck me as particularly useful. Is there a reason the Kerberos
protocol cannot be modified to use it directly, thus solving the
problem at its source? The only reason I can think of is "it would
require changing the krb5 protocol," which of course we don't want to
do. It could be kludged in via pre-authentication (the current
favoriate way of hacking protocol extensions :-):
C->KDC: C_dummy, S, PA_HASH_NAME=MD5(C|K_c)
The KDC would then key its database by MD5(C|K_c) instead of by C.
This does not provide pre-authentication in its original sense, since
the pa data can be replayed (a timestamp would make using the hash as
a key impossible), but it does prevent accidental exposure of the
password as Marc describes. Actual pre-authentication could still be
provided via a second pa-data stucture.
Barry
