[1399] in Kerberos
Onetime passwords
daemon@ATHENA.MIT.EDU (Chris Riddick)
Tue May 21 11:21:40 1991
From: Chris Riddick <cjr@simpact.COM>
To: mdl@b.gp.cs.cmu.edu
Cc: cjr@simpact.COM, kerberos@ATHENA.MIT.EDU
Date: Tue, 21 May 91 8:38:27 EDT
My note:
>> From: Chris Riddick <cjr@simpact.COM>
>>
>> There is a way to render the dictionary attack ineffective. That is the use
>> of one-time passwords. With a onetime password, even a TGT that was stolen
>> simply by eavesdropping during login would not be useful. The password that
>> was extracted via the dictionary attack (other other cryptanalysis) was only
>> good for that login (i.e., TGT). The next time the user logs in, a
>> different password will be required.
You responded with:
> No. "One-time passwords" (this is really the wrong term for
>this, but I know what you mean from the previous time you explained
>yourself), do NOT by themselves render the dictionary attack
>ineffective. If the user chooses his/her own master password, the fact
>that one-time passwords are generated from it will not make the attack
>impossible. [The details of how to alter the attack to deal with this
>are left to the reader.]
>
> However, forcing the user to use a randomly generated password
>will render the dictionary attack useless. Granted, this is
>particularly easy to do when the user already has to carry a one-time
>password generator device around with him/her.
You made an assumption that the method used to generate the one-time
password depended upon a seed value chosen by the user. If the method
of generating the one-time password can be shown to protect the seed
value, then simply breaking the encryption to get into the TGT only gives the
onetime password. You cannot reuse the TGT and the password cannot be
reused. If you have no way of working back to the original seed value,
then you have rendered attack ineffective (other than deciphering the TGT,
which exposes the session key between the user and the Kerberos server).
There are two threats to protect against here. The first is the
protection of the password for kerberos login. The second is the
privacy of the communications between the user and the kerberos server.
A properly generated one-time password will protect the kerberos login.
However, any successful cryptographic attack against the TGT will
expose the session key. Obviously, a proper solution has to address
both of these vulnerabilities.
The key aspect of the onetime password is that we can ensure that the
attacker does not gain access to the kerberos server to get another
TGT (an auditable event). The user is vulnerable during the period
before the TGT expires/revoked if the encryption is broken.
Chris Riddick
