Benjamin Kaduk <[email protected]> writes: > The core kerberos protocol itself is pretty well-analyzed, and unlikely > to have been backdoored. There could potentially be issues with the > crypto primitives used by a particular Kerberos implementation or > encryption type (e.g., PRNG, block cipher, and hash function), but such > issues would have much broader consequences than just kerberos. AES is > probably fine, but, say, the md4 hash function used in arcfour-hmac's > string-to-key is not so good, and as mentioned already RFC 6649 > deprecates some weak enctypes.
With Kerberos, it's always worth being aware that it's a trusted central authentication system. A compromise of the KDC is a total compromise of the realm, and the compromise doesn't have to be active. All you need is a copy of the keys, and then you can basically do anything you want in a way that's extremely hard to detect. If I were a sophisticated attacker who was attempting to compromise a Kerberos infrastructure, I wouldn't attack the crypto. I'd backdoor the KDC using any of the many tools available for compromising a single system. In most situations, that would be substantially easier than attacking the crypto and harder to detect afterwards. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
