[2938] in Kerberos
Re: About principals' secret keys & attacks
daemon@ATHENA.MIT.EDU (Josh Osborne)
Tue Dec 21 15:51:50 1993
From: stripes@uunet.uu.net (Josh Osborne)
To: carlos@athea.ar (Carlos Horowicz)
Date: Tue, 21 Dec 1993 15:33:59 -0500 (EST)
Cc: sdawson@engin.umich.edu, kerberos@MIT.EDU
In-Reply-To: <199312211640.AA22629@athea.ar> from "Carlos Horowicz" at Dec 21, 93 01:40:19 pm
[...]
>This is like a dictionary attack on /etc/shadow or /etc/passwd: you have
>a source and a target, and all you have to do is compute the key that
>drives the source to the target. If the user password choices where good,
>then it can take pretty long to hit something.
But for $1,000,000 one can build a machine that can search the entire 56bit
DES keyspace for a known plaintext attack (I can dig up the paper reference -
but I beleve it was posted to this very list a few months ago...) in ~8 hours
The cost looks like it will fall as the price for full-custom ASICs fall (i.e.
very fast). This price also scales, for $100,000 you can do a full search in
~24 hours, for $10,000 (I think) you can do it in a bit over a month. Do you
have password ageing turned on? (Warning: I may have the prices an order of
magnitude too low, but if I do save this post for 5 to 7 years and it will
be right).
Any known plaintext weekeness (in a single DES baised system) is very serious.
It limits the amount of trust you can place in keeping a secret. Anything
that could cause an attacker to gain over $1,000,000 is right out (of corse
a $1M secret is very likely to be comprmised by trusted people also!). Less
valuable secrets are easier to trust for longer, but hardware keeps getting
less costly...
[...]
