Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 1.18. Are there any known weaknesses in Kerberos? Next Document: 1.20. Why do I need to synchronize my system clocks to run Kerberos? See reader questions & answers on this topic! - Help others by sharing your knowledge As mentioned in Question 1.18, one weakness in Kerberos is the ability to do an offline dictionary attack by requested a TGT for a user and just trying different passwords until you find one that decrypts the TGT successfully. One way of preventing this particular attack is to do what is known as preauthentication. This means to simply require some additional authentication before the KDC will issue you a TGT. The simplest form of preauthentication is known as PA-ENC-TIMESTAMP. This is simply the current timestamp encrypted with the user's key. There are various other types of preauthentication, but not all versions of Kerberos 5 support them all. User Contributions:Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000) Previous Document: 1.18. Are there any known weaknesses in Kerberos? Next Document: 1.20. Why do I need to synchronize my system clocks to run Kerberos? Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: