[1027] in Kerberos
J. Pato's comments on dictionary attacks
daemon@ATHENA.MIT.EDU (John Fletcher)
Mon Jun 18 13:30:11 1990
Date: Mon, 18 Jun 90 09:29:39 PDT
From: fletch@ocfmail.ocf.llnl.gov (John Fletcher)
To: kerberos@ATHENA.MIT.EDU
Cc: fletch@llnl.gov
The concept of verifiable plaintext introduced by Mark, Lomas, Gong,
Saltzer, and Needham seems quite powerful. It implies that if the following
hold for a conversation between two processes:
o The only private information initially shared by the processes is a key
chosen from a small keyspace (e, g., a poorly chosen password).
o An eavesdropper has access to the entire conversation (e. g., has
tapped the "wire").
o The conversation includes verifiable plaintext (obtainable by some
number of en/decryptions starting with the original key).
Then the eavesdropper can discover the key and therefore the plaintext of the
entire conversation by "brute force".
For example, the notion of "decoupling" a principal's password from his
secret key, but allowing retrieval of the secret key using the password as a
key, does not significantly impede the eavesdropper: He can still try one
password at a time, getting a possible secret key and using that key to extract
the verifiable plaintext; his added cost is no more than that added to the
eavesdropped conversation, namely one more en/decryption per trial.
John Fletcher
