[4862] in Kerberos

home help back first fref pref prev next nref lref last post

Proposal for a SmartCard-Kerberos Implementation

daemon@ATHENA.MIT.EDU (Kenneth D. Renard )
Sat Mar 25 01:07:08 1995

To: kerberos@MIT.EDU
Date: Fri, 24 Mar 1995 19:35:42 GMT
From: kdrenard@arl.mil (Kenneth D. Renard )


Below is a proposal for a SmartCard-Kerberos implementation.  It is based
on the implementation by Sandia Labs but addresses a different environment
with slightly different threats.  I am presenting it to you -- the true
Kerberos gurus -- for comments, suggestions, and discussions.  A brief
description of Sandia's implementation along with the proposed implementation
is included for comparison.

Environment:
	Kerberos 5 realm
	SecurID code is a one-time-use, time dependent, seeded (with PIN
	  entered onto card), password generating algorithm.  (You may
	  explore the applicability of your smart-card system)
	SecurID-only is not acceptable: (need SecurID code for every rsh, rcp)
	Users require access from various, unknown, "untrusted" hosts.

Additional Threats:
	There are sniffers on untrusted and intermediate networks. (There may
	  be intermediate networks between hosts and KDCs)

Goals:
	Not _require_ that a user have kinit on their desk for login access
	  to "trusted" machines.
	To allow secure _access_ to hosts from the outside, "untrusted" hosts
	  via an "untrusted" network (assume sniffers are running).
	Allow Kerberos authenticated associations between hosts within
	  "trusted" realm.
	Use preauthentication mechanism for implementation to make as few
	  changes as possible to out-of-the-box MIT Kerberos 5.

--------------------------------------------------------------------------------
	
SANDIA METHOD:
	1. Send password and SecurID code to kinit process.
	2. Kinit encrypts SecurID code with password.
	3. KDC verifies SecurID code and generates TGT encrypted in password.
	3.5. TGT traverses network from KDC to kinit encrypted in password.
	4. Kinit decrypts TGT with password.

Strengths:
1. KDC will not issue ticket without valid SecurID code.  This is configurable
	per principal.
2. No secrets revealed as long as password is provided securely to kinit
	(kinit must be run on desktop)

Weaknesses:
1. If tickets must be obtained on remote system (trusted kinit is not available
	on immediate host), password is sent over the net, vulnerable to
	sniffers.  With this password, one can decrypt any snooped KDC reply
	(for any host) for that user to get their TGT (see strength #1).
2. Cannot obtain host access from remote site that does not have trusted
	kinit binary without sending snoopable static password.

Comments:
1. Does not take full advantage of SecurID's benefits:  disclosure of SecurID
	code is not a vulnerability (one-time-use, seeds, and time dependence)
2. Maximum cost of password compromise:  All TGT's for that user until user
	changes password.  (Can user detect compromise of their password?)
--------------------------------------------------------------------------------

PROPOSED METHOD:

	1. Send SecurID code to kinit process.
	2. Kinit sends request to KDC with plaintext SecurID code.
	3. KDC verifies SecurID code and generates TGT encrypted in host-key.
	3.5. TGT traverses network from KDC to kinit encrypted in host-key.
	4. Kinit decrypts TGT with host-key found in v5srvtab.


Strengths:
1. KDC will not issue ticket without valid SecurID code.  This is configurable
	per principal.
2. No secrets reveled.  Kinit may be run remotely via unencrypted telnet, etc.
	Users can be granted strongly authenticated remote access from un-
	trusted machine via untrusted network.
3. Sandia weakness #1 above does not exist.

Weaknesses:
1. Compromise of root on a host will compromise host-key and all further 
	snooped KDC responses for that host will be decryptable.  See
	strength #1
2. Each client machine now needs a v5srvtab.

Comments:
1. Due to the lack of a shared secret between kinit process and KDC, host-key
	must be used to encrypt reply.
2. Maximum cost of host-key compromise:  All TGT's for that host until host
        changes host-key  (How easy is it to detect host compromise?)
3. Need quick, easy, secure method to permutate host-keys.  Don't want to
	use current host-key encrypt new key.  Any suggestions??
4. Coding of this implementation is in alpha-testing locally.  Full
	coding and testing of this method is currently being worked on.

--------------------------------------------------------------------------------

-Ken Renard					<kdrenard@arl.mil>
Army Research Lab

--------------------------------------------------------------------------------
SecurID is a registered trademark of Security Dynamics Technologies, Inc.
Original SecurID implementation graciously provided to MIT Kerberos 5 by
	Sandia Labs (Kudos, guys!)
================================================================================
-- 
-------------------------------------------------------------------------------
Ken Renard
U.S. Army Research Lab


home help back first fref pref prev next nref lref last post