NSA backdoor risks in Kerberos
Benjamin Kaduk
kaduk at MIT.EDU
Wed Apr 2 12:47:31 EDT 2014
On Tue, 1 Apr 2014, Chris Hecker wrote:
>
> I hope this won't turn into a giant thread, I'm just looking for some
> succinct facts and/or links to thoughtful discussion, I'm not interested
> in a bunch of opinions or a flame war or anything like that, and I don't
> think that'd be appropriate for this list or help anybody. But here goes:
>
> Has there been a technical writeup of potential backdoor risks in
> Kerberos, similar to the stuff that keeps coming out about various RSA
> products:
I'm unaware of a writeup.
The core kerberos protocol itself is pretty well-analyzed, and unlikely to
have been backdoored. There could potentially be issues with the crypto
primitives used by a particular Kerberos implementation or encryption type
(e.g., PRNG, block cipher, and hash function), but such issues would have
much broader consequences than just kerberos. AES is probably fine, but,
say, the md4 hash function used in arcfour-hmac's string-to-key is not so
good, and as mentioned already RFC 6649 deprecates some weak enctypes.
There are various extensions to the Kerberos protocol which may have
received less analysis than the core protocol; I have not attempted to
survey the literature.
-Ben Kaduk
More information about the Kerberos
mailing list