<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

WebApp Sec: Re: Quiz: Can you spot the flaw

Re: Quiz: Can you spot the flaw

From: <kbucher_at_halomede.com>
Date: Tue, 5 Jul 2005 10:33:12 -0700

> Hello Webappsec Gurus,
>
> There is a flaw in this graphical representation of Kerberos: <
> http://www.xml-dev.com/blog/?action=viewtopic&id=21 >
>
> Can you spot the flaw? Also what needs to be done to correct it?
>
> :-)
>
> Happy 4th of July!!! :-)
> --
> In Peace,
> Saqib Ali
> http://www.xml-dev.com/

I'm not a Kerberos expert, but in step 3, the second message from the
TGS to the client appears to be incorrect.

It is listed as:

[Key(client, TGS)]Key(client)

The TGS shouldn't know the secret key of the client. In addition, the
client already has Key(client, TGS), what it needs is
Key(client,service) to communicate with the Service Server.

So it should be:

[Key(client, service)]Key(client, TGS)

Do I win a prize?

Keith Bucher
Received on Jul 05 2005

This message: [ Message body ]
Next message: Miller, Joe: "RE: Errors displayed on a web server"
Previous message: tim.m.james_at_hsbc.com: "Memo: Re: Errors displayed on a web server"
Maybe in reply to: Saqib Ali: "Quiz: Can you spot the flaw"
Next in thread: Saqib Ali: "Re: Quiz: Can you spot the flaw"
Reply: Saqib Ali: "Re: Quiz: Can you spot the flaw"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]