Paper about kerberos' password security

John Brezak jbrezak at windows.microsoft.com
Tue Mar 12 12:28:25 EST 2002 

Adding the IETF krb-wg to the distribution.


-----Original Message-----
From: Theodore Tso [mailto:tytso at MIT.EDU] 
Sent: Thursday, January 31, 2002 9:54 PM
To: Andreas Hasenack
Cc: kerberos at mit.edu
Subject: Re: Paper about kerberos' password security


On Thu, Jan 31, 2002 at 10:03:34AM -0200, Andreas Hasenack wrote:
> I'm sure at least the developers have read Thomas Wu's paper[1] titled

> "A Real-World Analysis of Kerberos Password Security". Weak user 
> passwords are not a new problem.
> 
> Basically, he says that a dictionary attack can be quite effective, 
> and cracked over 2,000 passwords in two weeks on a 25k user kerberos 
> realm (and over 50% were 8 characters in length). Using pre-auth with 
> timestamp doesn't make thing look much better, one can still sniff the

> network and make the same attack.

According to the folks at Stanford, they were kinda miffed about his
paper, in that he made some statements that could be considered
intellectually dishonest.  Yes, he did crack over 2,000 passwords in two
weeks, and yes, this was with a password quality checker on the
adminserver in place.  But what he failed to disclose was that the
password quality check had only recently been installed, and most of the
passwords which he caught would have been rejected by the password
quality checker.

So would he have gotten such an impressive results if he had done the
test only on passwords that had been vetted by the password quality
checker; that's very unclear.

At the time, the author did not disclose that the technique he was
pushing was patented, and although (he and Stanford) later made some
limited modes of SRP freely available under a patent license, that
wasn't the case at the time, and so at least some people questioned
whether his paper was simply a white paper trying to sell a technique
that he was trying to make money on.

It should be noted that since then, although Thomas Wu and Stanford have
made it available (thus neutralizing the previous concern), there are
other potential patent complications with using SRP, including the
Lucent EKE patent, and possibly the SPEKE patent as well.  (The SPEKE
patent has incredibly broad claims, and while a patent attorney might be
able to argue that they are overly broad, trying to litigate any kind of
patent claim once the patent is issued is incredibly expensive, even if
the patent claims are pretty clearly a complete abuse of the patent
system.)

As a result, I would strongly encourage folks who are interested in
things like SRP to take a page from DVD players like xine, and define a
plug-in architecture so that shared libraries can contain the SRP (or
other password authentication and/or preauthentication) code. That way,
the base distribution of the software can be distributed without any
worries about patent entangelments, and software components can be
distributed in the parts of the free world where software/algorithm
patents aren't an issue.  Individual users can then decide on their own
whether or not they feel comfortable grabbing the plug-in module (or
not) depending on what their read on the legal situation is, and whether
or not they believe they are judgement proof.  Aren't software patents
fun?

							- Ted

More information about the Kerberos mailing list