hi all and also we know when the domain joined client , we enter domain username and password, our password is encrypted via a hash algorithm. also we know that hash functions are MD5 , SHA1 , SHA2 ,... 1 ) which one of these algorithms , does kerberos protocol uses to encrypt our password? 2 ) so does a kerberos protocol component exist in all clients ( in addition to domain controller ?) thanks in advance

Hi. Microsoft has release information about how Windows 2000 uses Kerberos in RFC4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows. Also there is information in the microsoft technet article Changes in Kerberos Authentication [Windows 7 & windows 2008R2]. <> DES not enabled by default in Windows 7 and Windows Server 2008 R2 Both DES cipher suites (DES-CBC-MD5 & DES-CBC-CRC) are disabled by default in Windows 7.The following cipher suites are enabled by default in Windows 7 and Windows Server 2008 R2: *AES256-CTS-HMAC-SHA1-96 *AES128-CTS-HMAC-SHA1-96 *RC4-HMAC </> So for which Windows version are we talking about? Oscar Virot

Hi. Microsoft has release information about how Windows 2000 uses Kerberos in RFC4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows. Also there is information in the microsoft technet article Changes in Kerberos Authentication [Windows 7 & windows 2008R2]. <> DES not enabled by default in Windows 7 and Windows Server 2008 R2 Both DES cipher suites (DES-CBC-MD5 & DES-CBC-CRC) are disabled by default in Windows 7.The following cipher suites are enabled by default in Windows 7 and Windows Server 2008 R2: *AES256-CTS-HMAC-SHA1-96 *AES128-CTS-HMAC-SHA1-96 *RC4-HMAC </> So for which Windows version are we talking about? Oscar Virot hi and thanks oscar. suppose my domain controller is win 2008 R2 and clients are win 7 . oscar, is far as i know ,when a domain user want to logon , the his os encrypts his password via a one-way hashing algorythm. also the domain controller generates a "1 time usable session key" for that client and present that to client. then client again encrypts his "password hash" via this session key and then present this "encrypted hash" to the domain controller. so here is a question : if someone in the middle , captures the sesion key ( when dc is presenting it to client and also captures the password hash( when client is presenting to DC , the this rogue client in the middle, can encrypt the obtained password hash with obtained session key and then present that to the DC , so DC thinks that is the real original client ( but in fact he is not ). so what security countermeasure exist for this ? where can i find a good updated link which completely describe this process ? thanks in advance

Hi. Well kerberos is a old system that has proven secure in unix, thats why Windows started using it. If we read Configuring Kerberos Policies. <> In a Windows 2000 Domain, Kerberos authentication is used by both client and a server in trying to determine each other's legitimacy. Kerberos works with private key cryptography. That is, both the Kerberos-enabled client and server share a secret key. Kerberos authentication works as follows (assuming the client initiates contact with the server): The client generates an authenticator that contains unique information about the client (for example, client name, client realm, the time on the client, a checksum of the data in the authenticator message, and so forth). Each authenticator is unique, because of the time information it contains. The client encrypts the authenticator with its copy of the secret key. The client sends the encrypted authenticator to the server. The server decrypts the authenticator with its copy of the secret key. The server creates its own unique authenticator, which also contains a portion of the client's authenticator. That way, the server proves to the client that it received the client's authenticator, and it was able to decrypt the message, indicating that it is the proper server that had access to the secret key. Note that since all authenticators must be unique, they are valid one time only. Therefore, Kerberos protects the system from replay attacks. A replay attack (with normal user identification (ID)/password authentication) is when an outsider can collect authentication data off of the network and replay it to the server. Since a user ID/password combination is good for many uses, the server cannot determine if the second authentication attempt is the valid user trying to open another session, or if it is an impostor trying to break into the system. Since the user ID/password information in the replay is correct, the system will grant access to the impostor. </> Hope that helps, if you want more the Wikipedia links to lots of RFC describing everything in more detail.Oscar Virot

Hi. Well kerberos is a old system that has proven secure in unix, thats why Windows started using it. If we read Configuring Kerberos Policies. <> In a Windows 2000 Domain, Kerberos authentication is used by both client and a server in trying to determine each other's legitimacy. Kerberos works with private key cryptography. That is, both the Kerberos-enabled client and server share a secret key. Kerberos authentication works as follows (assuming the client initiates contact with the server): The client generates an authenticator that contains unique information about the client (for example, client name, client realm, the time on the client, a checksum of the data in the authenticator message, and so forth). Each authenticator is unique, because of the time information it contains. The client encrypts the authenticator with its copy of the secret key. The client sends the encrypted authenticator to the server. The server decrypts the authenticator with its copy of the secret key. The server creates its own unique authenticator, which also contains a portion of the client's authenticator. That way, the server proves to the client that it received the client's authenticator, and it was able to decrypt the message, indicating that it is the proper server that had access to the secret key. Note that since all authenticators must be unique, they are valid one time only. Therefore, Kerberos protects the system from replay attacks. A replay attack (with normal user identification (ID)/password authentication) is when an outsider can collect authentication data off of the network and replay it to the server. Since a user ID/password combination is good for many uses, the server cannot determine if the second authentication attempt is the valid user trying to open another session, or if it is an impostor trying to break into the system. Since the user ID/password information in the replay is correct, the system will grant access to the impostor. </> Hope that helps, if you want more the Wikipedia links to lots of RFC describing everything in more detail. Oscar Virot nice. thank you very much oscar