[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KINK user-user scenario



Kerberos is vulnerable to these types of DoS attacks already. For example,
an attacker can create a delegated request targetted at himself with a
bogus krb creds inside and then send that out in multiple delegated request
to 1000 servers which then try to authenticate to the KDC using the bogus
krb creds.

I'm not convinced we should go to a lot of work to try to prevent these
types of attacks, because we will only be able to give some improvement to
a few cases instead of all the cases. Some sort of IDS system would
probably be needed to handle these types of attacks and might do an equally
good job against all of them. 

Jonathan


At 01:55 PM 1/18/01 -0500, Derek Atkins wrote:
>Jonathan Trostle <jtrostle@xxxxxxxxx> writes:
>
>> TGT's are captured off the wire, unless the attacker wants to use his own
>> TGT which is unlikely. So this localizes the attack to a particular
>> principal's location and is a good place to initiate intrusion detection. 
>
>Who says an attacker needs to use a real TGT?  The TGT need only look
>valid enough that:
>
>	a) the client believes it is a TGT and forwards it to the KDC, and
>	b) the KDC believes it is a TGT and tries to decrypt it.
>
>Keep in mind that a client usually cannot do much in terms of TGT
>validation.  It certainly cannot decrypt the TGT.  All it can do is
>look at the ASN.1 formatting and make sure it looks like a TGT.
>Similarly, the KDC just needs to get far enough in the ASN.1 encoding
>to actually try to decrypt the TGT.
>
>This means an attacker does not have to capture anything off the wire
>in order to mount this attack.  They just build a fake TGT using the
>ASN.1 encoding, a "known service principal", and then use any random
>key to encrypt the encrypted portion of the TGT.  It doesn't matter
>that the KDC can't decrypt it; that's the point -- you want the KDC to
>_try_ to decrypt it and fail.
>
>-derek
>
>-- 
>       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>       Member, MIT Student Information Processing Board  (SIPB)
>       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>       warlord@xxxxxxx                        PGP key available