Kerberos authentication and its hash values

ninjazninjaz Member Posts: 11 ■□□□□□□□□□
in Security+
Since you don't send the actual password over the wire how does the server know how to compare the same hash as the client provided? Does the client machine take the password the user provided and hash it and then send that hash value to the server and compare that hash value with the one that the server has stored? If thats the case, couldn't someone use a replay attack with the same hash value as the user and get authenticated to the server and user those credentials? Also, what if a user wants to change their password to something else, wouldn't that password be sent across the wire to be stored on the server?
· Share on FacebookShare on Twitter

Comments

  • WebmasterWebmaster Admin Posts: 10,292 Admin
    ninjaz wrote:
    Since you don't send the actual password over the wire how does the server know how to compare the same hash as the client provided? Does the client machine take the password the user provided and hash it and then send that hash value to the server and compare that hash value with the one that the server has stored? If thats the case, couldn't someone use a replay attack with the same hash value as the user and get authenticated to the server and user those credentials?
    That value (in Kerberos called the authenticator) also includes and encrypted timestamp, making it unique, hence protects it against replay attacks. (That doesn't mean Kerberos is completely safe from replay attacks...). This is the reason why time synchronization in Kerberos networks (such as Win2000/2003) is essential. Kerberos has a socalled 'replay cache' in which timestamps that were received in the past 5 minutes are cached.
    ninjaz wrote:
    Also, what if a user wants to change their password to something else, wouldn't that password be sent across the wire to be stored on the server?
    Good question, I don't know the exact operation, but a user (principal in kerberos) must be authenticated before the password can be changed. Once the principal is logged in and wants to change the password the KDC will probably generate new temporary sessions keys for the change in user credentials.
    LinkedIn - FaceBook
    · Share on FacebookShare on Twitter
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    Change password is a request/reply protocol that includes a KRB_PRIV (kerberos privelage) message that contains the new password for the user. So in my opinion the short answer is yes. It is sent across.
    http://resources.infosecinstitute.com/author/keatron
    · Share on FacebookShare on Twitter
  • WebmasterWebmaster Admin Posts: 10,292 Admin
    Thanks for the insight Keatron. KRB_PRIV was my missing link. I agree btw, the password is sent across the wire when a user changes it. KRB_PRIV lead to some better results:

    icon_arrow.gifwww.faqs.org/rfcs/rfc3244.html

    www.freesoft.org/CIE/RFC/1510/38.htm
    www.freesoft.org/CIE/RFC/1510/39.htm
    LinkedIn - FaceBook
    · Share on FacebookShare on Twitter
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    No problem Johan. Very good links too.
    http://resources.infosecinstitute.com/author/keatron
    · Share on FacebookShare on Twitter
Sign In or Register to comment.