[1400] in Kerberos
Onetime passwords
daemon@ATHENA.MIT.EDU (Mark Lillibridge)
Tue May 21 11:23:45 1991
From: Mark Lillibridge <mdl@B.GP.CS.CMU.EDU>
Date: Tue, 21 May 91 10:34:58 EDT
To: cjr@simpact.COM
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: Chris Riddick's message of Tue, 21 May 91 8:38:27 EDT <9105211238.aa10181@nss1.simpact.COM>
> From: Chris Riddick <cjr@simpact.COM>
> Date: Tue, 21 May 91 8:38:27 EDT
>
> ...
>
> You made an assumption that the method used to generate the one-time
> password depended upon a seed value chosen by the user.
If the seed value is chosen by the user, you could have a
problem with dictionary attacks. If the seed value is chosen randomly,
obviously, you can't have a problem with a dictionary attack as there is
no dictionary involved. The later case solves the problem but the use
of one-time passwords is not why it does so. The randomly chosen key
is the reason.
>If the method
> of generating the one-time password can be shown to protect the seed
> value, then simply breaking the encryption to get into the TGT only gives the
> onetime password. You cannot reuse the TGT and the password cannot be
> reused. If you have no way of working back to the original seed value,
> then you have rendered attack ineffective (other than deciphering the TGT,
> which exposes the session key between the user and the Kerberos server).
Let me give a concrete example. Suppose the user chose "Fred"
as her password. Now, when it is time to log in, Kerberos picks a
random key r. Kerberos then encrypts r with a key derived from "Fred"
to get k. Kerberos then sends the normal TGT information encrypted with
k together with r. The user is then challenged with r. She types r
into her handheld which encrypts it with the key derived from "Fred",
thus obtaining k which it then displays. She then types in k and
authentication proceeds in the obvious manner. I would call this a
"one-time password system". Let me know if you disagree.
How can I check if her password is "Fred"? Well, I take a
handheld, type in "Fred" as the key then r [from a previous TGT
request]. If the handheld responds with k, her password is indeed
"Fred", otherwise it is not. Thus, by this technique, given a r-k pair
from a previous successful login, I can very quickly discover the
user's password if it is in a small dictionary. This meets my
definition of a successful dictionary attack.
I note that by using randomness on both sides of the connection,
it may be possible to foil dictionary attacks. I mentioned this in my
first reply. However, the protection comes from the randomness, not the
one-time password part.
- Mark Lillibridge
