Kerberos insecure

Jason Garman jgarman at wedgie.org
Sat Dec 6 18:40:54 EST 2003 

On Dec 5, 2003, at 5:12 AM, Christoph Riesenberger wrote:

> "Tom Yu" <tlyu at mit.edu> schrieb...
>> Kerberos doesn't use symmetric-key Needham-Schroeder directly; it has
>> been modified to use timestamps to avoid a freshness problem found by
>> Burrows et al. in the BAN logic paper.  Also, Lowe's attack was on
>> public-key Needham-Schroeder, if I recall correctly.
>
> Thanks, Tom. This means, Lowe's attack doesn't touch kerberos!?
> 2 other questions:
> Kerberos uses symmetric keys. How can it guarantee, that a 
> message/ticket
> was not altered (integrity)?
> How does logout work?
>
Kerberos functions under a trusted third-party model.  Every service 
has a long-term key associated with its principal in the Kerberos 
database.  Therefore, to ensure a ticket's integrity, the KDC encrypts 
the ticket contents with the long-term key associated with the service 
principal the ticket is issued for.  The only two parties that know 
this key are the service and the KDC.  Once the user sends this ticket 
(along with an authenticator to thwart replay attacks) to the service, 
then the service can decrypt and read the contents of the ticket with 
its long-term key.

In Kerberos, there is no such thing as 'logging out' - some Kerberos 
implementations will automatically destroy your credential cache when 
you log out of your local workstation.  Others require a user to 
manually destroy their credential cache.  Either way, tickets are only 
valid for a pre-determined period of time anyway, so a ticket that's 
already expired is of little use to an attacker.  A ticket that is 
still valid may still be subject to IP address restrictions (although 
MS AD and other popular implementations request addressless tickets by 
default).

Shameless plug: you can find more information on Kerberos security 
topics in my O'Reilly book "Kerberos: the Definitive Guide".

Hope this helps.

-- jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2365 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20031206/c3dc69e9/attachment.bin

More information about the Kerberos mailing list