WebApp Sec mailing list archives
Re: Quiz: Can you spot the flaw
From: kbucher () halomede com
Date: Tue, 5 Jul 2005 10:33:12 -0700
Hello Webappsec Gurus, There is a flaw in this graphical representation of Kerberos: < http://www.xml-dev.com/blog/?action=viewtopic&id=21 > Can you spot the flaw? Also what needs to be done to correct it? :-) Happy 4th of July!!! :-) -- In Peace, Saqib Ali http://www.xml-dev.com/
I'm not a Kerberos expert, but in step 3, the second message from the TGS to the client appears to be incorrect. It is listed as: [Key(client, TGS)]Key(client) The TGS shouldn't know the secret key of the client. In addition, the client already has Key(client, TGS), what it needs is Key(client,service) to communicate with the Service Server. So it should be: [Key(client, service)]Key(client, TGS) Do I win a prize? Keith Bucher
Current thread:
- Quiz: Can you spot the flaw Saqib Ali (Jul 04)
- <Possible follow-ups>
- Re: Quiz: Can you spot the flaw kbucher (Jul 05)
- Re: Quiz: Can you spot the flaw Saqib Ali (Jul 05)