[1274] in Kerberos
Re: Storing tickets safely
daemon@ATHENA.MIT.EDU (Jeffrey I. Schiller)
Sat Mar 2 23:44:06 1991
Date: Sat, 2 Mar 91 23:07:01 EST
From: Jeffrey I. Schiller <jis@MIT.EDU>
To: hilary@snll-arpagw.llnl.gov
Cc: kerberos@ATHENA.MIT.EDU, hilary@snll-arpagw.MIT.EDU
In-Reply-To: Hilary Jones's message of Sat, 2 Mar 91 12:40:57 -0800 <9103022040.AA09100@snll-arpagw.llnl.gov>
Whether or not tickets are stored in the Kernel or in a file is not a
function of Kerberos, but of the system platforms that run Kerberos. V5
Kerberos provides a ticket cache abstraction which by default stores
tickets in a file (because that is the only "portable" thing we can do).
However if your system has the appropriate functions to store tickets in
the kernel, it should not be hard to implement a ticket cache
abstraction that uses it.
From: hilary@snll-arpagw.llnl.gov (Hilary Jones)
Subject: Storing tickets safely
I have a concern about one of the premises of Kerberos, and that is
that storing a ticket on a workstation is somehow more secure than
storing a file containing the user's password. It seems to me that the
ticket is nothing more than a glorified password, and that this will
become even more apparent if longer-lived passwords become the norm.
...
It *is* more secure to only store the ticket rather then the password.
Tickets have a definite, known lifetime. How long that lifetime should
be is a trade-off between security and convenience. If a ticket is
compromised, the duration of the compromise is bounded. I will also
point out that normal (many hour duration) tickets are *not* valid for
*password* change requests. This means that compromised tickets cannot
be used to change a user's password.
Passwords on the other hand have an infinite or at the very least an
indeterminate lifetime. A password is valid until it is changed by
explicit action (some systems age passwords, but that is another
situation). It is therefore more important to protect them better (ie.
not store them on the workstation).
From a practical point of view this means that if my tickets are stored
on a workstation, tomorrow morning I *know* that my account is "safe"
(hanky panky may have already happened, but no future hanky panky can
happen). If my password was stored on the workstation, I don't *know*
that it wasn't compromised. It may well have been stolen, but the thief
may not take advantage of it for days. Of course if I am paranoid I
could change it (and people with reason to be paranoid should in general
change their password often) but that isn't the point.
-Jeff
