I-D for a new method: EAP-Kerberos
Hello, I've long wondered how Kerberos integration with RADIUS works; only recently did I understand that it answers to a PAP inquiry that uses the KDC as a password oracle. This is very disappointing. In the symmetric-key discipline of Kerberos, every derived key can be uncovered once the initial password is known. Sending the initial password through RADIUS, it suddenly becomes a third party able to decrypt ALL of a user's traffic! Moreover, directly using the password is a trick and has its limitations -- it won't work with PKINIT for example, as used under Windows smart card logon. I would argue that having a real EAP-Kerberos method is long overdue. Does this list agree that it would be useful to have such a method embedded within EAP? I have written an Internet Draft to define an EAP-Kerberos mechanism, and would be interested in feedback on it. If we establish consensus I would like to register it officially as a new EAP Method. So please, comment on it? https://datatracker.ietf.org/doc/draft-vanrein-eap-kerberos/ Thanks, Rick van Rein OpenFortress.nl / ARPA2.net
Hi,
This is very disappointing. In the symmetric-key discipline of Kerberos, every derived key can be uncovered once the initial password is known. Sending the initial password through RADIUS, it suddenly becomes a third party able to decrypt ALL of a user's traffic! Moreover, directly using the password is a trick and has its limitations -- it won't work with PKINIT for example, as used under Windows smart card logon.
for ANY method that requires a password that goes through another system, the password is known for the server agent - thats just how things are.
I would argue that having a real EAP-Kerberos method is long overdue. Does this list agree that it would be useful to have such a method embedded within EAP?
I have written an Internet Draft to define an EAP-Kerberos mechanism, and would be interested in feedback on it. If we establish consensus I would like to register it officially as a new EAP Method. So please, comment on it?
https://datatracker.ietf.org/doc/draft-vanrein-eap-kerberos/
work is already done for EAP kerberos - along with some other reuqiremens such as server security pinning - I would suggest that you read the ABFAB IETF stuff - 'Project Moonshot' was its original name - there is working software and FreeRADIUS 3 does it, for example https://tools.ietf.org/html/rfc7055 alan
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Rick van Rein