Kerberos authentication and its hash values

Since you don't send the actual password over the wire how does the server know how to compare the same hash as the client provided? Does the client machine take the password the user provided and hash it and then send that hash value to the server and compare that hash value with the one that the server has stored? If thats the case, couldn't someone use a replay attack with the same hash value as the user and get authenticated to the server and user those credentials? Also, what if a user wants to change their password to something else, wouldn't that password be sent across the wire to be stored on the server?

Find more posts tagged with

SAVE $250 on Your CompTIA Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CompTIA Boot Camps

Comments

Webmaster

ninjaz wrote:

Since you don't send the actual password over the wire how does the server know how to compare the same hash as the client provided? Does the client machine take the password the user provided and hash it and then send that hash value to the server and compare that hash value with the one that the server has stored? If thats the case, couldn't someone use a replay attack with the same hash value as the user and get authenticated to the server and user those credentials?

That value (in Kerberos called the authenticator) also includes and encrypted timestamp, making it unique, hence protects it against replay attacks. (That doesn't mean Kerberos is completely safe from replay attacks...). This is the reason why time synchronization in Kerberos networks (such as Win2000/2003) is essential. Kerberos has a socalled 'replay cache' in which timestamps that were received in the past 5 minutes are cached.

ninjaz wrote:

Also, what if a user wants to change their password to something else, wouldn't that password be sent across the wire to be stored on the server?

Good question, I don't know the exact operation, but a user (principal in kerberos) must be authenticated before the password can be changed. Once the principal is logged in and wants to change the password the KDC will probably generate new temporary sessions keys for the change in user credentials.

keatron

Change password is a request/reply protocol that includes a KRB_PRIV (kerberos privelage) message that contains the new password for the user. So in my opinion the short answer is yes. It is sent across.

Webmaster

Thanks for the insight Keatron. KRB_PRIV was my missing link. I agree btw, the password is sent across the wire when a user changes it. KRB_PRIV lead to some better results:

www.faqs.org/rfcs/rfc3244.html

www.freesoft.org/CIE/RFC/1510/38.htm
www.freesoft.org/CIE/RFC/1510/39.htm

keatron

No problem Johan. Very good links too.