[2930] in Kerberos
Re: About principals' secret keys & attacks
daemon@ATHENA.MIT.EDU (Derek Atkins)
Fri Dec 17 15:36:49 1993
To: Carlos Horowicz <carlos@athea.ar>
Cc: kerberos@MIT.EDU
In-Reply-To: [2929] in Kerberos
Date: Fri, 17 Dec 93 15:19:09 EST
From: Derek Atkins <warlord@MIT.EDU>
> 1. Can the principal's secret key be decrypted, in the case the masterkey
> is stolen ? If the UNIX password crypt algorithm doesn't have a reverse,
> is this not a drawback against UNIX passwords ? I mean, in UNIX a user
> cannot be faked as far as he/she doesn't own an .rhosts file, am I right ?
If someone has access to the kerberos master password and also has
access to the kerberos database, then the game is over. They can get
everyone's key and, for all intents and purposes, they can become the
KDC.
However, this does *not* give the attacker the user's Password, only
the DES key to which that password is hashed. So, they couldn't use
that information to go to a random machine and log in, since the login
will require the typing a password, which the attach cannot know.
On the other hand, the attacker, using this information, can generate
their own kinit which takes a DES key instead of a password, and then
they win.
> 2. If an attacker wants to break a principal's secret key, is there any
> way to identify the attack, for example, by exceeding some number of
> trials ?
Depends how the attacker goes about trying.. The attacker could, in
the kerberos 4 algorithm, request a TGT for a specific
user/service/etc. and take the data it gets from the KDC offline, and
then tries to break it,m until it finds the appropriate DES key or
passphrase. Then they can go live again and ask for this same
principal, and they now have the key to open the packet, assuming
the key hasn't been changed.
I hope this answers your questions.
-derek
Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory
Secretary, MIT Student Information Processing Board (SIPB)
PGP key available from pgp-public-keys@pgp.mit.edu
warlord@MIT.EDU PP-ASEL N1NWH
