[4862] in Kerberos
Proposal for a SmartCard-Kerberos Implementation
daemon@ATHENA.MIT.EDU (Kenneth D. Renard )
Sat Mar 25 01:07:08 1995
To: kerberos@MIT.EDU
Date: Fri, 24 Mar 1995 19:35:42 GMT
From: kdrenard@arl.mil (Kenneth D. Renard )
Below is a proposal for a SmartCard-Kerberos implementation. It is based
on the implementation by Sandia Labs but addresses a different environment
with slightly different threats. I am presenting it to you -- the true
Kerberos gurus -- for comments, suggestions, and discussions. A brief
description of Sandia's implementation along with the proposed implementation
is included for comparison.
Environment:
Kerberos 5 realm
SecurID code is a one-time-use, time dependent, seeded (with PIN
entered onto card), password generating algorithm. (You may
explore the applicability of your smart-card system)
SecurID-only is not acceptable: (need SecurID code for every rsh, rcp)
Users require access from various, unknown, "untrusted" hosts.
Additional Threats:
There are sniffers on untrusted and intermediate networks. (There may
be intermediate networks between hosts and KDCs)
Goals:
Not _require_ that a user have kinit on their desk for login access
to "trusted" machines.
To allow secure _access_ to hosts from the outside, "untrusted" hosts
via an "untrusted" network (assume sniffers are running).
Allow Kerberos authenticated associations between hosts within
"trusted" realm.
Use preauthentication mechanism for implementation to make as few
changes as possible to out-of-the-box MIT Kerberos 5.
--------------------------------------------------------------------------------
SANDIA METHOD:
1. Send password and SecurID code to kinit process.
2. Kinit encrypts SecurID code with password.
3. KDC verifies SecurID code and generates TGT encrypted in password.
3.5. TGT traverses network from KDC to kinit encrypted in password.
4. Kinit decrypts TGT with password.
Strengths:
1. KDC will not issue ticket without valid SecurID code. This is configurable
per principal.
2. No secrets revealed as long as password is provided securely to kinit
(kinit must be run on desktop)
Weaknesses:
1. If tickets must be obtained on remote system (trusted kinit is not available
on immediate host), password is sent over the net, vulnerable to
sniffers. With this password, one can decrypt any snooped KDC reply
(for any host) for that user to get their TGT (see strength #1).
2. Cannot obtain host access from remote site that does not have trusted
kinit binary without sending snoopable static password.
Comments:
1. Does not take full advantage of SecurID's benefits: disclosure of SecurID
code is not a vulnerability (one-time-use, seeds, and time dependence)
2. Maximum cost of password compromise: All TGT's for that user until user
changes password. (Can user detect compromise of their password?)
--------------------------------------------------------------------------------
PROPOSED METHOD:
1. Send SecurID code to kinit process.
2. Kinit sends request to KDC with plaintext SecurID code.
3. KDC verifies SecurID code and generates TGT encrypted in host-key.
3.5. TGT traverses network from KDC to kinit encrypted in host-key.
4. Kinit decrypts TGT with host-key found in v5srvtab.
Strengths:
1. KDC will not issue ticket without valid SecurID code. This is configurable
per principal.
2. No secrets reveled. Kinit may be run remotely via unencrypted telnet, etc.
Users can be granted strongly authenticated remote access from un-
trusted machine via untrusted network.
3. Sandia weakness #1 above does not exist.
Weaknesses:
1. Compromise of root on a host will compromise host-key and all further
snooped KDC responses for that host will be decryptable. See
strength #1
2. Each client machine now needs a v5srvtab.
Comments:
1. Due to the lack of a shared secret between kinit process and KDC, host-key
must be used to encrypt reply.
2. Maximum cost of host-key compromise: All TGT's for that host until host
changes host-key (How easy is it to detect host compromise?)
3. Need quick, easy, secure method to permutate host-keys. Don't want to
use current host-key encrypt new key. Any suggestions??
4. Coding of this implementation is in alpha-testing locally. Full
coding and testing of this method is currently being worked on.
--------------------------------------------------------------------------------
-Ken Renard <kdrenard@arl.mil>
Army Research Lab
--------------------------------------------------------------------------------
SecurID is a registered trademark of Security Dynamics Technologies, Inc.
Original SecurID implementation graciously provided to MIT Kerberos 5 by
Sandia Labs (Kudos, guys!)
================================================================================
--
-------------------------------------------------------------------------------
Ken Renard
U.S. Army Research Lab