[1031] in Kerberos
Trivial passwords
daemon@ATHENA.MIT.EDU (Clifford Neuman)
Mon Jun 18 23:08:33 1990
Date: Mon, 18 Jun 90 18:57:56 -0700
From: bcn@CS.WASHINGTON.EDU (Clifford Neuman)
To: kerberos@MIT.EDU
Cc: lunt@CTT.BELLCORE.COM, jon@MIT.EDU
In-Reply-To: Jon A. Rochlis's message of Mon, 18 Jun 90 20:06:01 EDT <9006190006.AA22474@delwin.MIT.EDU>
I believe that the correct place for checking the sanity of passwords
is at the client. A user that makes the effort to get around the
restriction is only hurting itself. I do not really have any
objection to the admin server also checking the password, but I object
to providing the actual password to the server (this will make sense
when you read what follows).
The problem is that users registered in multiple realms are likely to
use the same password more than once. If an attacker compromises the
security of the Kerberos server in one realm (or alternatively, if the
administrator abuses his authority), the password for that user in the
other realms might be compromised.
The solution was suggested by Ted Anderson some time ago. String to
key should be a one-way function using the name of the realm as a
seed. If this is done, the key for the alternate realm could not be
derived from the compromised key.
When changing the key, the one-way transformation could be done at
either the client or the admin server. I prefer doing it as close the
the source of the key as possible (i.e. at the client).
If the one way function is affected only by the name of the realm and
the password, then as as Jon indicated, bad passwords can still be
checked on the admin server by comparing the key against a precomputed
dictionary of bad keys. It has been suggested, however, that string
to key be a function of the password and the full name of the
principal to which it applies. This would make it difficult to use a
precomputed dictionary on the admin server because a different
dictionary would be needed for each user. The tradeoff is that doing
so also makes it more difficult for an attacker to use a precomputed
dictionary. Since such an attack will also be thwarted by the use of
confounders, the correct choice for the string to key algorithm is not
at all clear.
~ Cliff
