Security pointers about Kerberos5 realms open to a WAN
Ken Raeburn
raeburn at MIT.EDU
Wed Nov 1 19:41:49 EST 2006
As Tom says, Kerberos was designed to be used on open networks. With
the exception of the old DES-based types (a bad idea to use nowadays,
but supported for backwards compatibility for places that haven't
updated yet), the encryption schemes should be reasonably solid, and
all of the data critical for authentication should be properly
encrypted. (If it isn't, we haven't found the problem yet.) But the
initial design was done a number of years ago, and the attacks of
concern today may be different from what people (at least, the people
working on Kerberos) were thinking about then.
There may be a few places where man-in-the-middle attacks could cause
failures, even some that may not be immediately obvious, but such an
attack should not be able to cause authentication to appear to be
successful when it shouldn't be. (At least, if the applications are
written correctly. Look up "Zanarotti attack" in your favorite
search engine.) As I recall, there was one paper describing how a
MITM could replace the credentials being acquired from the KDC on the
way to the user with some other blob of data, and intercept the fake
"credentials" the user tries to send to an application server and
replace them with the real thing, with the user never noticing. The
attacker couldn't *use* the credentials, though, or trick the user
into authenticating to a different service. So, is it a problem?
I'm inclined to say no, but it's open for debate.
There are also probably cases where the user's privacy could be
better guarded -- e.g., encrypting certain bits of data, like service
names of credentials being requested from the KDC, rather than just
doing some integrity checks. On the other hand, the endpoints of
your TCP streams may reveal roughly the same information anyways.
An attacker could also use an open KDC to probe for valid account
names. Even if the attacker can't guess the password (and without
any preauthentication schemes enabled, the default mechanism is
vulnerable to offline attacks), the account names may be of use for
social-engineering attacks.
For my part, I'm not too worried about these issues, though some
would be good to address eventually. And MIT has been running openly-
accessible Kerberos servers for many years now, without it being a
problem.
Ken
More information about the Kerberos
mailing list