[857] in Kerberos
Athentication vulnerabilities
daemon@ATHENA.MIT.EDU (Hugh C. Lauer)
Thu Dec 21 09:51:10 1989
From: lauer@BTC.KODAK.COM (Hugh C. Lauer)
To: kerberos@ATHENA.MIT.EDU
Cc: lauer@BTC.KODAK.COM
Denis Russell's recent message raised some other concerns in my mind
about vulnerabilities of authentication, especially in wide area
networks of many realms. It seems that weaknesses in administrations
are much more serious problems than weaknesses in either the Kerberos
or X.509 protocols. Denis's project is addressing a large area -- all
of academic computing in the UK. Mine is one or two orders of
magnitude smaller -- the computing networks of a multi-national
corporation -- and that appears to be already intractable.
We have a lot of departments with a lot of users. The largest
concentration is in Rochester, New York, but about half the users are
located elsewhere. For reasons not worth elaborating here, it is not
possible in our company to have an effective central administration,
even of authentication servers. Individual departments will install
and use them or not, as they choose and as their individual business needs dictate.
Yet I and many of my colleagues need to move physically around the
corporation, and wherever we go we need to be able to login into a
local system with our own passwords and be recognized as who we really
are. This is why we are interested in Kerberos in the first place --
because it is a working system for authentication, presumably over a
wide area. We also need to be able to put together projects comprising
people from a number of departments and give them common sets of rights
and access privileges, so that they can work together, share files,
etc. They need to be able to sign on to a system anywhere in their
project (which may span the continent) and still have substantially the
same rights they have in their local environments.
My concern is that I am not sure that I can trust the administrations
of all of the other realms. Maliciousness is NOT the issue;
carelessness is. I.e., I am not completely confident that the
administrator or users in the various realms really understand the
responsibilities and consequences of protecting passwords, keys, etc.
Are there any public passwords in a particular department? Does
another department find it necessary to routinely share the Master
database password, the same way that we here find it necessary to
routinely share root passwords? If I add a user from a particular
department to the access list for a project, do I inadvertantly open it
up to everyone in that department? to people outside the department
but still inside the company? to people outside the company?
It seems that this problem grows rapidly with the number of realms and
is independent of whether you use centralized databases, such as
Kerberos, or certificates in a public key cryptosystem. It is already
bad enough in 'monolithic' company with 40-50 separate departments. It
has to be much worse for the 40-50 universities in the UK, each with
several dozen highly autonomous departments or colleges. Given this, I
think that the practical vulnerabilities of X.509 AND Kerberos are much
more severe than the protocol vulnerabilities described by Burrows,
Abadi, and Needham (the latter, I expect, will eventually get fixed).
Am I missing something?
/Hugh C. Lauer
Kodak Boston Technology Center
Bedford, Massachusetts
