[OpenAFS-devel] Aklog/krb5 mappings
Ken Hornstein
kenh@cmf.nrl.navy.mil
Thu, 07 Jul 2005 11:56:48 -0400
>I thought the k4 attack worked because the kdc would give an encrypted tgt
>to anyone who asks for it, which allows offline dictionary attacks. This
>works with any encryption algorithm. In fact the use of des makes you more
>resistant to attack, because it's slower than the alternatives. K5 fixes
>this by optionally requiring pre-authentication.
I was under the impression that he was worrying about brute-force attacks
against DES (specifically, the AFS service key), which we don't have a
defense against yet. I haven't yet seen brute-force attacks against DES
in the wild, but I'm computers are getting faster all of the time; I'm
sure it's only a matter of time.
--Ken