NSA backdoor risks in Kerberos
Russ Allbery
eagle at eyrie.org
Wed Apr 2 14:45:03 EDT 2014
Benjamin Kaduk <kaduk at MIT.EDU> writes:
> The core kerberos protocol itself is pretty well-analyzed, and unlikely
> to have been backdoored. There could potentially be issues with the
> crypto primitives used by a particular Kerberos implementation or
> encryption type (e.g., PRNG, block cipher, and hash function), but such
> issues would have much broader consequences than just kerberos. AES is
> probably fine, but, say, the md4 hash function used in arcfour-hmac's
> string-to-key is not so good, and as mentioned already RFC 6649
> deprecates some weak enctypes.
With Kerberos, it's always worth being aware that it's a trusted central
authentication system. A compromise of the KDC is a total compromise of
the realm, and the compromise doesn't have to be active. All you need is
a copy of the keys, and then you can basically do anything you want in a
way that's extremely hard to detect.
If I were a sophisticated attacker who was attempting to compromise a
Kerberos infrastructure, I wouldn't attack the crypto. I'd backdoor the
KDC using any of the many tools available for compromising a single
system. In most situations, that would be substantially easier than
attacking the crypto and harder to detect afterwards.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list