[155] in Kerberos
Ooops. SMS cannot store keys that ge
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:35:16 1987
From jis@BITSY.MIT.EDU Wed Jan 28 00:49:20 1987
Date: Wed, 28 Jan 87 00:48:14 EST
From: Jeffrey I. Schiller <jis@BITSY.MIT.EDU>
To: Saltzer@athena.mit.edu
Cc: Kerberos@Athena.mit.edu
Subject: Ooops. SMS cannot store keys that get loaded into kerberos.
The following problem came up during a conversation between
Melissa and myself.
The current design of the kerberos database enciphers the
private keys of users and services with the kerberos "master" key.
This protects the keys from disclosure, but does not "seal" them
against modification.
Specifically it is still possible to copy one user's key
information onto another, and thus make the second user's key the same
as the first.
If SMS loads all information into kerberos, then all one would
have to do to forge the id of some user (assuming breaking into SMS
first), is to make that user's private key data equal to the data for
the forger's private key, and wait for the next SMS => kerberos
download.
I can see two ways to prevent this:
1) Not store private key information in SMS, Kerberos would be
responsible for long term storage of the keys.
2) Change the master key encipherment so that first the first eight
characters (64 bits) of the principal name is Xor'd into the private
key and then enciphered with the master key. This would ensure that
two users with the same key (password) don't have identical values
stored in the database for their keys, and the attack above is
thwarted.
-Jeff
