Re: Quiz: Can you spot the flaw

[kbucher () halomede com]

> Hello Webappsec Gurus,
>
> There is a flaw in this graphical representation of Kerberos: <
> http://www.xml-dev.com/blog/?action=viewtopic&id=21 >
>
> Can you spot the flaw? Also what needs to be done to correct it? 
>
> :-)
>
> Happy 4th of July!!! :-)
> -- 
> In Peace,
> Saqib Ali
> http://www.xml-dev.com/

I'm not a Kerberos expert, but in step 3, the second message from the
TGS to the client appears to be incorrect.

It is listed as:  

[Key(client, TGS)]Key(client)

The TGS shouldn't know the secret key of the client.  In addition, the
client already has Key(client, TGS), what it needs is
Key(client,service) to communicate with the Service Server.

So it should be:

[Key(client, service)]Key(client, TGS)

Do I win a prize?

Keith Bucher