excessive SHA1 calls

Love Hörnquist Åstrand lha at samba.org
Sun Nov 27 13:34:02 GMT 2005

Andrew Bartlett <abartlet at samba.org> writes:

> On Fri, 2005-11-25 at 12:26 +0100, Love Hörnquist Åstrand wrote:
>> "Stefan (metze) Metzmacher" <metze at samba.org> writes:
>> > Love Hörnquist Åstrand schrieb:
>> >> The s2k(password,enctype) have the same property as the htlm hash, its a
>> >> password equvalent. One reason the function is so slow and tunable slow is
>> >> to make dictionary attacks very expensive. So storing the
>> >> s2k(password,enctype) just next to the password is fine.
>> >
>> > is it correct that the client calls s2k() at kinit time?
>> > how would that prevent from dictionary attacks when the client can just use a
>> > tunned version?
>> Because you tune the s2k over time, and tuneing can be done each time a
>> user change their password. Today the factor is 4k, in 18month you can make
>> that 8k and it will still take 0.4s per password.
> How is that communicated to the clients?  For a client, I suppose it's
> in the kinit with the salt, but for a server, which has (for reasons of
> Microsoft network design) only a plaintext password, how does it know
> what s2k tuning factor to use, to decrypt incoming tickets?

The server needs to know the key, so after changing the password it should
do a kinit to fetch the salt and s2k parameters (or just store the user-key
when the transaction is done).

Nico williams had a proposal for the new password chaning protocol that the
client was told at least the enctype the KDC assigned to it, salt and s2k
parameter should go the same way.

BTW, see get_salt_and_kvno() in kcm, its not entirly what you want, but a
good start.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20051127/c82de135/attachment.bin

More information about the samba-technical mailing list