[Samba] How does SMB 3.0 encryption work?
abartlet at samba.org
Fri Aug 18 20:04:33 UTC 2017
On Fri, 2017-08-18 at 14:57 +0200, mathias dufresne wrote:
> This question is interesting and laeds me to another one:
> As KDC send a ticket to the client when trying to authenticate
> (something which should decrypted using user's password), is it
> possible to brute force this initial ticket locally?
Yes. You can also brute force the ticket given to the server, if the
server has a weak password (we hope not).
FAST is a Kerberos extension designed to avoid that, by first
authenticating the workstation to the KDC, and then using a tunnel
crated with that stronger password for your user ticket exchange.
Samba's Heimdal doesn't support that (modern versions do), but MIT does
and this is part of the motivation for a move to MIT Kerberos.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba