[1028] in Kerberos
Re: J. Pato's comments on dictionary attacks
daemon@ATHENA.MIT.EDU (Joe Pato)
Mon Jun 18 15:12:55 1990
From: pato@apollo.com (Joe Pato)
Date: Mon, 18 Jun 90 14:02:02 EDT
To: fletch@ocfmail.ocf.llnl.gov (John Fletcher)
Cc: kerberos@ATHENA.MIT.EDU, fletch@llnl.gov
In-Reply-To: fletch@ocfmail.ocf.llnl.gov (John Fletcher), mon, 18 jun 90 12:29:39
Let me restate an earlier comment. There is no substitute for well chosen
passwords. This is the focus of the first proposal which would allow the KDC
to pass judgement on the quality of new passwords.
The second proposal to decouple a principal's password from their secret key
is motivated by known-plaintext attacks via the aquisition of a service ticket
to a given principal. This attack does not require the attacker to have access
to the physical network - the attacker need not tap the network, it is enough
to use the KRB_TGS_REQ/KRB_TGS_REP protocol from a remote realm (on a remote
network)
As you point out, this second proposal is of no help against an attacker that
can tap the network. To some extent it isn't necessary if the first proposal
is implemented. The goal of the second proposal is to ensure "good" secret
keys by having them generated "randomly" by the KDC in a way unrelated to the
potentially poorly chosen password. If the password is forced to be "good",
then this second step is redundant.
The second proposal does, however, provide some additional protection for
passive principals (i.e., those that are not active and therefore immune from
eavesdropping attacks) in the event of a change in the realm's password policy
from relaxed to strict. This additional protection, however, may be of
marginal interest.
-- Joe Pato
Cooperative Object Computing Operation
Hewlett-Packard Company
pato@apollo.hp.com
-------
