confusion in ank.
Ken Raeburn
raeburn at MIT.EDU
Mon Apr 23 13:40:08 EDT 2007
On Apr 23, 2007, at 13:07, Daniel Kahn Gillmor wrote:
> i agree that it's worthwhile to support expiration policy for
> randomly-generated keys. One could even argue for iteratively
> applying password-quality policies to randomy-generated keys from a
> pragmatic approach:
>
> In the unlikely event the randomly-generated key happens to be
> guessable by common tools (dictionary attacks, limited character
> classes, etc), it's probably worth generating a new random key. While
> this reduces the overall space of possible random keys, it does keep
> the random keys out of the (admittedly tiny) space regularly probed by
> the most common brute force attackers.
Because of how salt strings are factored into the key generation
process (except in the case of RC4), a dictionary attack based on
passwords is going to have to incorporate specific salt strings --
which in normal cases means incorporating the principal name in the
attack. Which means an attacker would presumably know when they're
attacking a service key that's likely to have been randomly
generated, versus a user's password-derived key. (And Microsoft's
server passwords should be long enough and random enough to evade
dictionary attacks.)
(Insert plug for my "randomize salt on password change" idea here,
which would prohibit even building the dictionary of keys without
talking to the KDC first to get the salt string.)
I think an attacker continuing to use a dictionary in that case would
be wasting cycles compared with simply trying 00...000, 00...001,
etc. Should we also eliminate all the keys that are likely to be hit
early in a simple sequential brute-force probe? That sort of thing
simply changes where the clueful attacker starts his attack, and
that's the attacker I'd be more concerned about.
The salt-less RC4 cryptosystem kind of puts a crimp in this, in that
you could use a dictionary of generated keys to try decrypting a
bunch of messages, without paying attention to whether the messages
were encrypted in a user's key or a randomized service key. Except,
the distinction between uses of the initiator's key and the
acceptor's key and a session key is generally pretty easy to make;
only when a service is initiating authentication (getting tickets so
it can authenticate to another service) would I expect randomized
principal keys to come under dictionary attack. Even so, it's not a
case I'm going to lose any sleep over; 2**128 is a pretty big
number. If we were generating password strings randomly, then maybe,
but not while we're randomly generating the bits of the key themselves.
Ken
More information about the Kerberos
mailing list