[4896] in Kerberos

home help back first fref pref prev next nref lref last post

No subject found in mail header

daemon@ATHENA.MIT.EDU (Glenn Machin)
Fri Mar 31 10:39:09 1995

Date: Fri, 31 Mar 1995 08:24:14 -0700
From: Glenn Machin <gmachin@sahp044.sandia.gov>
To: kdrenard@arl.mil, kerberos@MIT.EDU

> 
> Unfortunately, this opens the vulnerability of the Sandia algorithm that I
> was trying to avoid.  A sniffer could capture the SecurID code via the
> unencrypted telnet and sniff the AS_REP and decrypt the TGT.
>  
> Thanks for the reply!
>  
> -Ken Renard

I think you might be mislead on the vulnerability of the Sandia
algorithm, which exposes the SecurID code via telnet.  First off the 
Sandia algorithm, has nothing to to with telnet.  Sandia's implementation
of SecurID and Kerberos passes over the SecurID passcode as part of the 
preauth data of an AS_REQ (kinit), encrypted in the users kerberos 
password.  The KDC  decrypts the preauth data with the users private key 
and verifies the passcode with SecuriD.  If sucessful the KDC marks 
the TKT_FLG_HW_AUTH within the TGT and returns it encrypted in the users 
kerberos key.



The Sandia algorithm adds an additional authentication check 
to the normal kerberos authentication, plus propagates this information
along in the TGT, which could be use by the KDC or applications to authorize
the issuance of additional tickets, or access to facilities.

The weakness in this method for use on a gateway is that if a person could sniff
at the gateway and could get both the users kerberos password and the returned
TGT, that person could indeed use that ticket (only at the gateway of course).
However if the path between the gateway and KDC is secure this helps eliminate
the possibility of obtaining the returned AS_REPLY.
 
The real weakness, which is true for kerberos in general is that, if the
AS_REQ is not done on a local system then the users password is exposed to 
the network, however with Sandias method you can specify in the kerberos
database that a principal (service or user) is forced to provide SecurID to
get an initial TGT or that the TGT must have the TKT_FLG_HW_AUTH set in the
TGT presented, to obtain various service tickets. We have recently made changes
within the KDC which looks to see if the system initiating the AS_REQ is 
allowed to initiate a version 4, version 5, or version5 with Securid AS_REQ.

This allows us restrict version 4 requests to such things as Xyplex terminal
servers, and version 5 requests to "secure networks". All other networks
initiating AS_REQs would require a SecurID passcode to be included in the 
request.

I hope this clarifies Sandias use of SecurID and Kerberos.

Glenn Machin (gmachin@sandia.gov)



home help back first fref pref prev next nref lref last post