[ Usenet FAQs | Web FAQs | Documents | RFC Index ]
Single Page
Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.18. Are there any known weaknesses in Kerberos?
Next Document: 1.20. Why do I need to synchronize my system clocks to run Kerberos?
-
Search the FAQ Archives
Single Page
Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.18. Are there any known weaknesses in Kerberos?
Next Document: 1.20. Why do I need to synchronize my system clocks to run Kerberos?
1.19. What is preauthentication?
As mentioned in Question 1.18, one weakness in Kerberos is the ability to do an offline dictionary attack by requested a TGT for a user and just trying different passwords until you find one that decrypts the TGT successfully. One way of preventing this particular attack is to do what is known as preauthentication. This means to simply require some additional authentication before the KDC will issue you a TGT. The simplest form of preauthentication is known as PA-ENC-TIMESTAMP. This is simply the current timestamp encrypted with the user's key. There are various other types of preauthentication, but not all versions of Kerberos 5 support them all.
Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 1.18. Are there any known weaknesses in Kerberos?
Next Document: 1.20. Why do I need to synchronize my system clocks to run Kerberos?
Single Page
[ Usenet FAQs | Web FAQs | Documents | RFC Index ]
Send corrections/additions to the FAQ Maintainer:
Ken Hornstein <kenh@cmf.nrl.navy.mil>
Last Update October 22 2009 @ 05:26 AM