Preventing an attacker to steal credential and to compromise a whole kerberized network?

Nico Williams nico at cryptonector.com
Tue Oct 11 13:54:38 EDT 2011


On Tue, Oct 11, 2011 at 12:35 PM, Simo Sorce <simo at redhat.com> wrote:
> On Tue, 2011-10-11 at 08:55 -0700, Mike Spinzer wrote:

Kerberos is a network security protocol.  It *assumes* and *requires*
local security.  You might say that Kerberos *extends* local security
to the network.  Kerberos is not a local security facility.

Of course, Kerberos should not make local security weaker for using Kebreros.

Suppose you were using something entirely different from Kerberos for
network security.  Say, SSH with public keys, or with plain passwords,
or with SRP, or J-PAKE.  Or TLS with user certificates, or PSK.  Or
whatever else.  Whatever alternative you choose to use will have some
credential (private keys, shared secrets such as passwords), and that
credential will be as subject to theft as a Kerberos credential.

Yeah, I know, I'm piling on.  But it's important to state the local
security requirement of all network security protocols explicitly.

> I don't know if Ubuntu includes support, but you can try using the
> kernel keyring to store credentials. That should make it more difficult
> for an attacker to get access to keys, although not impossible I guess.

If the attacker as full local access then the kernel keyrings must be
assumed to be readable by the attacker.  Even if they have much less
than full local access.  For example, if the attacker has access as
the victim user.  (Which is why there's no point storing large,
unbounded objects, such as Kerberos ccaches, in a keyring.  Smaller,
*bounded* credentials are useful to store in keyrings but only doing
so simplifies management, as there's no files to destroy on logout,
for example.)  Even if the attacker's level of access denies them
direct read access to the credentials, if the attacker can use the
credentials it's bad enough.

Local security is a prerequisite for any network security protocol.

Nico
--



More information about the Kerberos mailing list