2

I've reviewed the RFCs and am pretty familiar with Kerberos.

It seems to me that over a non-encrypted link (HTTP), Kerberos doesn't leak the user's password (or hash based challenge/response like NTLMv1/v2) and/or is susceptible to a reply attack.

In a properly designed implementation of Kerberos, is HTTP authentication considered secure over a non-encrypted link?

Nash Rajao
  • 21
  • 2

1 Answers1

3

Kerberos authentication on HTTP will encapsulate Kerberos ticket inside a SPNEGO token and will not expose user credentials. Replay attack is stopped by authenticators. But there is a possibility to do a active MITM attack where you would prevent server from receiving captured authenticator. Please see this paper for more details.

Marko Vodopija
  • 1,062
  • 1
  • 8
  • 19