[713] in Kerberos
[Steve Miller: RE: Distinguishing "users" and "services"]
daemon@TELECOM.MIT.EDU (John T Kohl)
Tue May 9 10:31:43 1989
From: John T Kohl <jtkohl@ATHENA.MIT.EDU>
To: kerberos@ATHENA.MIT.EDU, krb-protocol@ATHENA.MIT.EDU
------- Forwarded Message
Date: Tue, 9 May 89 07:15:56 PDT
From: miller%erlang.DEC@decwrl.dec.com (Steve Miller)
To: jtkohl@ATHENA.MIT.EDU
Subject: RE: Distinguishing "users" and "services"
Re:
>>From: DECWRL::"jtkohl@ATHENA.MIT.EDU" "John T Kohl 8-May-89 1436 EDT" 8-MAY-1989 15:07:12.63
>>To: kerberos@ATHENA.MIT.EDU, krb-protocol@ATHENA.MIT.EDU
>>CC:
>>Subj: Distinguishing "users" and "services"
>>
>>Several times in the last year I've been discussing Kerberos and the
phrase "well, if we distinguished between services and users, we could
>>..." popped up (This idea was recently resurfaced by conversations with
>>Jeff Schiller and L. Gong).
We had such a distinction, based on different forms of the name, in an
early pre-release draft of Kerberos, but decided to remove it. It seemed,
and still seems, more appropriate to treat all principals uniformly.
A principal, such as an intermediate service, may concurrently serve both
as a service and a client of another service. It should also be possible
for two users (clients) to directly setup an authenticated communications
session for whatever purpose, such as private communication.
>>I propose allocating a flag bit in the KDC database to indicate that the
>>indicated principal is not allowed to provide direct service, i.e. the
>>TGS will reject any requests to issue a ticket which the principal can
>>decrypt. This bit, when turned on, means essentially "this is a user".
>>This differentiation between users and services can help plug known
>>plaintext attacks against a user's private key, by preventing an
>>attacker from obtaining a ticket with a large amount of known plaintext
>>encrypted in the private key of the principal under attack. Combined
>>with some other proposals to modify the response to the initial ticket
>>request, this could reduce a principal's private key exposure to
>>encryption of essentially random data. [And with the use of some public
>>key cryptography for initial ticket requests, even that could be
>>eliminated.]
The original assumption of Kerberos was not to worry about cryptanalysis,
and I believe that still holds. Despite much criticism of DES, after ten
years there is still no public evidence of vulnerability to cryptanalysis
or any other attack other than brute force. (Maybe NSA and the KGB have
special engines to break it.) So I wouldn't introduce any additional
complexity, user or administrative burden to address cryptanalysis threats.
Lack of secure key storage is a much more fundamental and immediate
problem for current Kerberos implementations. If the ticket format
is rearranged to put less predictable data at the front, as was suggested
in some of the other proposals, I think that is fine- it doesn't effect
users or administrators, but makes cryptanalysis more difficult.
(Changing the ticket layout requires changes in the integrity mechanisms
as well, as has been discussed previously.)
Summary: punt.
Steve
------- End Forwarded Message
