Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 1.19. What is preauthentication?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Business Photos and Profiles ]


Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.18. Are there any known weaknesses in Kerberos?
Next Document: 1.20. Why do I need to synchronize my system clocks to run Kerberos?
See reader questions & answers on this topic! - Help others by sharing your knowledge
As mentioned in Question 1.18, one weakness in Kerberos is the ability to do
an offline dictionary attack by requested a TGT for a user and just trying
different passwords until you find one that decrypts the TGT successfully.

One way of preventing this particular attack is to do what is known as
preauthentication. This means to simply require some additional
authentication before the KDC will issue you a TGT.

The simplest form of preauthentication is known as PA-ENC-TIMESTAMP. This is
simply the current timestamp encrypted with the user's key.

There are various other types of preauthentication, but not all versions of
Kerberos 5 support them all.

User Contributions:

Comment about this article, ask questions, or add new information about this topic:

CAPTCHA




Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.18. Are there any known weaknesses in Kerberos?
Next Document: 1.20. Why do I need to synchronize my system clocks to run Kerberos?

Single Page

[ Usenet FAQs | Web FAQs | Documents | RFC Index ]

Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <kenh@cmf.nrl.navy.mil>





Last Update March 27 2014 @ 02:11 PM