[578] in Kerberos
re: central password checking
daemon@TELECOM.MIT.EDU (Jerome H. Saltzer)
Mon Jan 9 13:40:23 1989
To: chariot@ATHENA.MIT.EDU
Cc: sms-dev@ATHENA.MIT.EDU, kerberos@ATHENA.MIT.EDU
In-Reply-To: chariot@ATHENA.MIT.EDU's message of Sun, 8 Jan 89 20:19:59 EST
From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU>
> There is one major problem with this approach: it involves a
> large loss of security. Suppose I manage to learn Jerry's password.
> (i.e., I look over his shoulder or whatever). I hack his account. He
> quickly then changes his password so he can't be hacked anymore. That's
> what he thinks... Actually, I've been watching the net and see his
> password change request go by with the new password embedded in it
> (remember there is *no* way to prevent me from reading it because the
> only secret Jerry and kerberos share is his old password which I also
> have...).
[Mark doesn't say what "this approach" is, but from the message subject
I assume he means the central quality check of passwords.]
The scenario Mark describes presents a problem, but I believe that
his problem is quite orthogonal to central password quality control.
If my password is compromised, and I try to change it with a network
message, I will be subject to the attack Mark describes, whether or
not Kerberos wants me to send the new password for quality checking.
The reason is that Kerberos must receive at least the key form (after
running string-to-key over the password). The key form would go
across the net, encrypted in a way knowable by anyone who knows my
old password (and who has monitored the entire password-changing
conversation between me and Kerberos). Such an intruder could read
the new key field and use the information to acquire my credentials.
It is true that including my ASCII password in the message would make
life a little simpler for the intruder, but the string-to-key version
is all he really needs to get tickets and use them.
If your password is compromised the ONLY way to fix it is to find a
secure communication path to the Kerberos administrator, perhaps by
walking to the administrator's office. No path based on the old
password is suitable. This requirement exists whether central
password checking is in use or not.
Jerry
