As a security-conscious Kerberos user, I want to get initial tickets using a password (and possibly a second factor) without exposing the password to dictionary attack.

Description

Nathaniel McCallum is interested in creating a new pre-authentication mechanism which uses the SPAKE2 algorithm with elliptic curves to authenticate with passwords without allowing dictionary attacks. The mechanism will also allow strong, flexible integration with second-factor schemes.

The specification of this mechanism is in progress, hosted at https://github.com/npmccallum/ietf

Some pre-requisite facilities for this project were implemented for 1.14:

http://k5wiki.kerberos.org/wiki/Projects/SPAKE_preauth_prereqs

Status

Assignee

Greg Hudson

Reporter

Greg Hudson

Labels

None

Components

Fix versions

Priority

Normal