[715] in Kerberos
Re: Distinguishing "users" and "services"
daemon@TELECOM.MIT.EDU (Mark Lomas)
Tue May 9 14:53:22 1989
From: Mark Lomas <tmal%CL.CAM.AC.UK@MITVMA.MIT.EDU>
To: kerberos <kerberos@ATHENA.MIT.EDU>
In a recent message, Steve Miller commented:
> The original assumption of Kerberos was not to worry about cryptanalysis,
> and I believe that still holds. Despite much criticism of DES, after ten
> years there is still no public evidence of vulnerability to cryptanalysis
> or any other attack other than brute force. (Maybe NSA and the KGB have
> special engines to break it.) So I wouldn't introduce any additional
> complexity, user or administrative burden to address cryptanalysis threats.
The most important distinction between users and services, from the point of
view of security, is that users are notoriously bad at choosing passwords.
In an environment which has moderate security requirements, rather than those
of military establishments, the DES algorithm is probably adequate for the
moment. Provided all keys are well chosen an attacker is unlikely to be able
to discover the values of those keys by cryptographic means. I would emphasise
the phrase `provided all keys are well chosen'; the DES algorithm is not
suitable for encrypting known-plaintext with user chosen keys.
In designing an authentication protocol you should be more realistic. Breaking
a user chosen key is far easier because a brute-force search doesn't have to
test all 2�56 key values. For example the password scheme supplied with UNIX
encrypts known-plaintext using a slight modification of the DES algorithm. It
then encrypts the ciphertext using the same key repeatedly until a total of 25
encryptions have been performed. A brute-force search lasting one afternoon
determined 10% of the passwords in use at this site; this search was possible
because the keys were user chosen, not because the DES algorithm was used.
The Kerberos protocol has neither of the features of the UNIX password scheme
which were intended to slow down searches so I would assert that searching
should be even faster. Do not underestimate the processing resources which
an undergraduate could use to determine passwords.
I agree whole-heartedly with the suggestion that users and services should be
treated differently.
Mark Lomas (tmal@cl.cam.ac.uk)
University of Cambridge
Computer Laboratory
