[1021] in Kerberos
Re: Why is initial user authentication done the way it is?
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Fri Jun 15 16:29:37 1990
Date: Fri, 15 Jun 90 15:37:28 -0400
From: Theodore Ts'o <tytso@ATHENA.MIT.EDU>
To: kerberos@ATHENA.MIT.EDU
In-Reply-To: Wesley Craig's message of 15 Jun 90 17:01:37 GMT,
Reply-To: tytso@ATHENA.MIT.EDU
>Sure there is. All I have to do is get a valid TGT, and then ask the
>KDC for a ticket to jik@ATHENA.MIT.EDU. The response will include a
>"ticket to jik", which will contain my name (and other things)
>encrypted in your key. I can then bang on the ticket all I want in
>the privacy of my own CPU.
This is interesting, but really not as bad as the problem Jon and I
talked about. The above *does* require a valid TGT, first. Biff, of
course, doesn't have a valid TGT. Unfortuately he doesn't need one,
either.
Getting a valid TGT is pretty trivial. Athena's Kerberos setup has
several guest/test principals whose passwords are eminently guessable.
In addition, anybody who has a principal (or who can crack a guest/test
principal) in a Kerberos realm who has exchanged keys with the target's
Kerberos server can also get a cross-realm TGT. As you can see, it
*isn't* hard to get a TGT, and so it *won't* be hard to request a ticket
for jik@ATHENA.MIT.EDU.
So for this reason, I don't think there's any point in complicating the
protocol with a pre-authentication step for an initial
ticket-granting-ticket, as long as there's another similar "hole" which
cannot be closed without doing major revisions to the entire Kerberos
concept.
In addition, I think people are going a bit rabid screaming "dictionary
attack". Granted, you can pre-compute the string_to_key() to obtain a
"dictionary", and this process does involve a DES encryption step, so it
would save a bit of time. But you still have to use the resultant key
to attempt a DES decryption for every single key in your "dictionary" on
the sealed TGT which you got from the server, and this decryption can
not be done in parallel for many different users. (This is assuming
that the confounders in V5 Kerberos prevent the optimization which Ted
Anderson pointed out.) And as Steve Bellovin has asserted, the speed
difference involved between the DES decyption and something like
fcrypt() are probably very close to each other.
- Ted
P.S. I've always wondered what would happen if someone were to create a
DES chip with the modified E-boxes (and optimized it for Unix password
cracking) in an VLSI design course... :-)
