[6689] in Kerberos
Re: Kerberos Weakness (COAST Findings)
daemon@ATHENA.MIT.EDU (Gene Spafford)
Sun Feb 18 11:48:05 1996
To: kerberos@MIT.EDU
Date: 18 Feb 1996 11:22:41 -0500
From: spaf@cs.purdue.edu (Gene Spafford)
In article <4g5k5e$21c@narnia.cs.purdue.edu> swlodin@cs.purdue.edu (Steve Lodin) writes:
My first suggestion is don't use any kerberos based on MIT Kerberos
Version 4 for military-grade security requirements.
Let me add to Steve's comments in a few ways:
1) If we use a fast machine, like a DEC Alpha, we can get the
session keys for an active user in (effectively) real-time: average
time is less than 6 seconds per key.
2) This problem appears to have been in MIT Kerberos version 4 for
years, and possibly since the initial release. The Cygnus release
include alterations to MIT's code that make the problem somewhat
worse. We haven't examined any other releases of code, so we can't
comment on whether it is present in other releases, but we assume it
is.
3) There is no evidence that this is widely known or being actively
exploited. Given #1 and #2 above, if it were known, you can bet we
all would have heard about it by now.
4) MIT has a reasonable fix in preparation for Kerberos 4. It is a
small change in the source. It is easy to put in place.
5) The attack against Kerberos 5 appears to be of theoretical
interest only, as it requires extensive computational resources to
exploit. In any event, I have discussed a fix for this with Ted Ts'o
and there are several ways to eliminate the threat, at least one of
which is likely to be included in future releases of version 5.
6) There is no #6.
7) Even when the vulnerability we found is fixed, there are still
weaknesses in Kerberos, and especially Kerberos 4, that can be
exploited. It is better than passwords in most cases, but it is not a
panacea.
8) We hope to have the paper available for general release as a tech
report within two weeks after the announcement of the fix.
