WebApp Sec: Re: Quiz: Can you spot the flaw

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

WebApp Sec mailing list archives

Re: Quiz: Can you spot the flaw

From: kbucher () halomede com
Date: Tue, 5 Jul 2005 10:33:12 -0700

Hello Webappsec Gurus,

There is a flaw in this graphical representation of Kerberos: <
http://www.xml-dev.com/blog/?action=viewtopic&id=21 >

Can you spot the flaw? Also what needs to be done to correct it? 

:-)

Happy 4th of July!!! :-)
-- 
In Peace,
Saqib Ali
http://www.xml-dev.com/


I'm not a Kerberos expert, but in step 3, the second message from the
TGS to the client appears to be incorrect.

It is listed as:  

[Key(client, TGS)]Key(client)

The TGS shouldn't know the secret key of the client.  In addition, the
client already has Key(client, TGS), what it needs is
Key(client,service) to communicate with the Service Server.

So it should be:

[Key(client, service)]Key(client, TGS)

Do I win a prize?

Keith Bucher

By Date By Thread

Current thread:

Quiz: Can you spot the flaw Saqib Ali (Jul 04)
- <Possible follow-ups>
- Re: Quiz: Can you spot the flaw kbucher (Jul 05)
  - Re: Quiz: Can you spot the flaw Saqib Ali (Jul 05)