Does pre-authentication help against "insider" attacks?

Jeffrey Altman jaltman at secure-endpoints.com
Fri May 26 17:35:21 CEST 2017


On 5/26/2017 11:08 AM, Adam Lewenberg wrote:
> I am trying to understand the security benefits of requiring
> pre-authentication.
> 
> Consider this scenario: an attacker is trying to learn the password for
> a service account, e.g., the principal used by the ssh service on some
> server. The attacker already has the credentials for a user's account
> (but not, of course, the service account he is attacking). The attacker
> requests a service ticket for the account he is attacking. The attacker
> then uses brute force (offline) to derive the service account's password.
> 
> In the context where the attacker *already* has an account, requiring
> pre-authentication does not help mitigate against this sort of attack.In
> other words, pre-authentication helps against attacks from "outsiders"
> but not from existing users.
> 
> Is this correct?
> 
> Thanks, Adam Lewenberg

Pre-authentication reduces the risk of brute force attacks against user
principals by requiring proof that the requester knows the long term
secret before issuing a response encrypted by that long term secret.
Pre-authentication plays no role in preventing brute force attacks
against encrypted service tickets.

Once an authenticated user has obtained a service ticket from the KDC
they are free to do with it what they will including attempts at
brute-forcing the service's key.  That is why it is so important to
cease using weak encryption types for service keys including cross-realm
services.

Jeffrey Altman


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4081 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.h5l.org/pipermail/heimdal-discuss/attachments/20170526/e0b7672e/attachment.bin>


More information about the Heimdal-discuss mailing list