Significant weaknesses in the common configuration of Kerberos-based authentication servers could allow attackers to more easily circumvent security measures in networks that rely on the open authentication standard, according to recent research presented by consultants at the recent Black Hat USA 2010 conference.
The researchers found several common configuration problems that may allow attackers to significantly weaken the security that Kerberos provides.

Companies typically use Kerberos in Microsoft Active Directory environments or in large university Unix or Linux networks that allow users to access various network resources after authenticating to a central server. An active attacker could cause an authentication server to downgrade the data encryption, or etype, used for exchange of the authenticator, says Scott Stender, co-founder and principal consultant with iSEC Partners and an author of the report.

"The downgrade of etypes lets you downgrade to an encryption algorithm that you can brute force," Stender says.

The link for this article located at Dark Reading is no longer available.