[789] in Kerberos
Re: kinit security
daemon@TELECOM.MIT.EDU (Jerome H Saltzer)
Tue Aug 29 18:33:23 1989
From: saltzer@SRC.DEC.COM (Jerome H Saltzer)
To: Douglas S. Rand <doug@ZAPHOD.PRIME.COM>
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: Your message of Tue, 29 Aug 89 10:48:39 EDT
> If you give kinit a non-existant principal it immediately gives an
> error message. Do people think that it should ask for a password anyway
> to prevent discrimination of an invalid principal from a bad password?
> I know this is not that interesting on UNIX where the password file
> tends to be readable anyway.
First of all, a minor detail: kinit is a user program; any user
who is so inspired can write his own version, so protective measures
taken only by kinit can't be very effective.
However, there is another, more significant, version of the question:
should the Kerberos protocol itself give out the information that
the principal ID was invalid, thereby allowing kinit the luxury of
telling the user the bad news without the need to obtain a password?
A fair number of systems have used the argument that in the interests
of security the system should give out the minimum amount of
information possible. But I think that the consensus from 25 years
of trying it both ways in various environments is that the extra
trouble for legitimate but fumble-fingered users (from not giving
a helpful diagnostic) outweighs any extra protection against intruders.
UNIX is not the only system where one can discover or verify principal
names; it is in the nature of things that system designers and users
don't try to keep principal names secret. For example, on many systems
one can verify a guessed principal identifier by sending mail to
it and seeing if an error message bounces back. From a design point
of view, the appropriate assumption is that your attacker knows the
principal names but the legitimate user doesn't, or at least can't
type them right.
The bottom line is that asking for a password when you know the
principal is bad hassles the good guys without getting much in the
way of the bad guys.
There IS some significant security value in making the protocol
sufficiently time-consuming that an attacker can't program a computer
to try a lot of guesses in a short time, and sometimes people have
argued that asking for a password helps this consideration by making
the protocol consume more time. However, for Kerberos, where the
attacker can launch a second inquiry packet before the first response
is back, this argument is somewhat beside the issue.
Jerry Saltzer
