[2937] in Kerberos
Re: About principals' secret keys & attacks
daemon@ATHENA.MIT.EDU (Carlos Horowicz)
Tue Dec 21 12:20:54 1993
From: Carlos Horowicz <carlos@athea.ar>
To: sdawson@engin.umich.edu (Scott Dawson)
Date: Tue, 21 Dec 1993 13:40:19 -0300 (ARG)
Cc: kerberos@MIT.EDU
In-Reply-To: <9312202328.AA06636@limbo.engin.umich.edu> from "Scott Dawson" at Dec 20, 93 06:28:38 pm
Scott,
>
> > 1. I think there should be nothing "recognizable" if timestamps and/or random
> > numbers go in the authenticator.
>
> Timestamps are recognizable because I pretty much know what time it is
> and if I decrypt and get anywhere near that time I know I've hit the
> right key.
>
> The thing is, in krb4 at least, what is in the authenticator is
> something of the form { username, address, timestamp }Ku,s
>
> The chaining works like this:
>
> you get a tgt which looks like:
>
> { Ku,tgs , {Ttgs}Ktgs }Kuser
>
> none of the packet contents here is recognizable if I just guess at Kuser.
>
> However, you now send a message to the tgs asking to talk to service Y. When
> you do this, you also send the authenticator for the tgs. What you send
> looks like:
>
> { username, address, timestamp }Ku,tgs along with {Ttgs}Ktgs
>
>
> So, here's the attack if I have sniffed your packets. I decrypt the
> initial tgt using dictionary attack. I don't know that what I got was
> any good. I use the Ku,tgs which I get to decrypt the authenticator
> which you sent to the tgs. If I see { username, address, timestamp },
> all of which are recognizable, then I have guessed your user key correctly.
> If not, I move on to the next guess and repeat the procedure.
>
This is like a dictionary attack on /etc/shadow or /etc/passwd: you have
a source and a target, and all you have to do is compute the key that
drives the source to the target. If the user password choices where good,
then it can take pretty long to hit something.
But if you can sniff packets, it arises a new question: let's suppose
I fake a root login on a machine (f.ex.by using packet replay, or by faking
an .rhosts trusted machine), where I can get a copy of a kerberos database.
What can I obtain by running dictionary attack against the krb master
password ?
Carlos.
