[35978] in Kerberos
Re: NSA backdoor risks in Kerberos
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Apr 2 14:45:20 2014
From: Russ Allbery <eagle@eyrie.org>
To: Chris Hecker <checker@d6.com>, "kerberos\@mit.edu" <kerberos@mit.edu>
In-Reply-To: <alpine.GSO.1.10.1404021241000.21026@multics.mit.edu> (Benjamin
Kaduk's message of "Wed, 2 Apr 2014 12:47:31 -0400 (EDT)")
Date: Wed, 02 Apr 2014 11:45:03 -0700
Message-ID: <877g77a7v4.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Benjamin Kaduk <kaduk@MIT.EDU> writes:
> The core kerberos protocol itself is pretty well-analyzed, and unlikely
> to have been backdoored. There could potentially be issues with the
> crypto primitives used by a particular Kerberos implementation or
> encryption type (e.g., PRNG, block cipher, and hash function), but such
> issues would have much broader consequences than just kerberos. AES is
> probably fine, but, say, the md4 hash function used in arcfour-hmac's
> string-to-key is not so good, and as mentioned already RFC 6649
> deprecates some weak enctypes.
With Kerberos, it's always worth being aware that it's a trusted central
authentication system. A compromise of the KDC is a total compromise of
the realm, and the compromise doesn't have to be active. All you need is
a copy of the keys, and then you can basically do anything you want in a
way that's extremely hard to detect.
If I were a sophisticated attacker who was attempting to compromise a
Kerberos infrastructure, I wouldn't attack the crypto. I'd backdoor the
KDC using any of the many tools available for compromising a single
system. In most situations, that would be substantially easier than
attacking the crypto and harder to detect afterwards.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
