[859] in Kerberos
Athentication vulnerabilities
daemon@ATHENA.MIT.EDU (Bede B. McCall)
Thu Dec 21 14:10:24 1989
From: bede@LINUS.MITRE.ORG (Bede B. McCall)
To: lauer@BTC.KODAK.COM
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: Hugh C. Lauer's message of Thu, 21 Dec 89 09:45:11 EST <8912211445.AA10770@hotspur>
We have a similar, although "smaller" (in terms of raw numbers, at
least) problem. In our case, the problem is compounded by very loose
coupling -- both administratively and with respect to network
connectivity -- between two major sites and a gaggle of smaller sites
spread globally (from Germany to Japan). I've targeted only the major
sites for kerberos. Presumably, if and when a "global" sort of
authentication scheme becomes available on a reasonable basis (perhaps
X.509), we would use that for inter-site authentication. So we might
eventually end up with a ubiquitous two-level sort of authentication
scheme which might at least be easier to use than the one we have now.
I have few illusions about a globally acceptable scheme showing up
which would allow us to simplify this situation in the foreseeable
future (e.g. 5 or 6 years).
Our existing answer to inter-site authentication is the use of SecurID
(but this is **NOT** a product endorsement!) "smart" cards which,
although they fulfill our requirements, nonetheless require an
infrastructure similar to that of kerberos -- dedicated, secure
servers, centralized administration, and so on. Since the number of
people who need the cards is quite small (maybe numbering in
the very low hundreds), the cost is not an intolerable burden -- but
certainly not cheap.
What the security cards don't give us is protection against our own
users within the major sites (an obstreperous lot, they), hence the
perceived need for kerberos. Considering that the basic system is
available now, at zero startup/licensing cost (potential future
development costs notwithstanding for now), is at least provably
secure in its abstract form (the papers from the DEC group), and that
we have an existing framework (due to the dedicated security card
authentication servers) for installing it, the choice of kerberos was
rather obvious. Secure inter-realm authentication for these major
sites is something we can cope with, as have Athena and LCS.
This isn't to say that our solution for authentication is a terrific
model, although I'll bet it's a typical one. At times, in fact, one
is tempted to view it as a kludge which works only by virtue of an
extraordinarily patient user community. Despite predictions to the
contrary, I still haven't gotten used to using my card, and it, just
like my password on many systems, expires every so often, making the
situation even worse.
It would be very nice if I could cob together a one-shot, bulletproof
"login certificate" for each user as they first pass through our
personnel office and then forget about them until they pass out the
same door, perhaps many years later. I think most organizations might
even be willing to pay a smallish (does $10 sound about right?)
one-time fee for this, assuming the recurring costs were nil and the
certificate was universally accepted. (One of the things you have to
remember about recurring license fees is the fact that they always
have some "hidden" internal overhead added to them: add these costs up
and you can run up a really whacking great bill for something like the
superficially inexpensive RSA licensing, which is handled on a
per-user basis.)
-Bede McCall
MITRE Corp. Internet: bede@mitre.org
MS A114 UUCP: {decvax,philabs}!linus!bede
Burlington Rd.
Bedford, MA 01730 (617) 271-2839
