Pre-authentication

• Kerberos 5 added pre-authentication

• Client is required to prove it’s identity to the Kerberos AS in the first step
• By supplying an encrypted timestamp (encrypted with users secret key)
• This prevents an active attacker being able to easily obtain data from the KDC encrypted with any user’s key
• Then able to mount an offline dictionary attack