Ken Raeburn wrote: > On Nov 2, 2006, at 17:48, Henry B. Hotz wrote: > >>OTOH, it sounds like a fun idea to me. Do the cryptosystem RFC's >>specify the default salt? > > > Actually, the default salt, derived from the realm and principal > name, is specified in the main Kerberos protocol document, and is > invariant across cryptosystems; the cryptosystem RFCs don't know > anything about principal names or realm names. What gets done with > the salt string is defined per cryptosystem, though. > > Using a fixed per-principal salt string allows an attacker to convert > a standard password-cracking dictionary into a set of keys for a > given principal, and try that set of keys repeatedly despite the user > changing her password. If the salt string (which is supposed to be > UTF-8 if I recall correctly) is randomized and long enough, then any > key of N bits should be possible[*] even if the password is in the > dictionary, and the attacker can only precompute his key list for a > given salt string. So it's probably worth considering despite the > bugs of one implementation. >
But the salt is returned in the KRB_ERROR KRB5KDC_ERR_PREAUTH_REQUIRED(25) message on the PA_ENCTYPE_INFO in clear text so just having a different salt per principal should make it just as difficult for the attacker. This feature came in handy while trying to figure out why Java < 1.6 did not work correctly with pre-auth assuming it knew the salt. In a mixed case principal name. AD is case insensitive but the salt is not. > Ken > > [*] Assuming the cryptosystem actually uses the salt string, and > incorporates it properly, of course. The RC4 cryptosystem, for > example, does not use it, and thus the key is derived from the > password alone, and a dictionary can be converted to keys that can be > tried for any user in any realm. > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
