On Thu, 31 Jan 2002, Andreas Hasenack wrote: > I'm sure at least the developers have read Thomas Wu's paper[1] > titled "A Real-World Analysis of Kerberos Password Security". > Weak user passwords are not a new problem. > > Basically, he says that a dictionary attack can be quite effective, > and cracked over 2,000 passwords in two weeks on a 25k user kerberos > realm (and over 50% were 8 characters in length).
- There are several inaccuracies in that paper. At the time Mr. Wu mounted his attack there was no quality checking of most of the passwords in the database. None of the passwords he cracked would have passed the strength checking algorithm. But fundamentally, yes kerberos 4 is subject to dictionary attacks and password strenghtening is just a stopgap at best. > Using pre-auth > with timestamp doesn't make thing look much better, one can still > sniff the network and make the same attack. > - Yes, but it's a much more difficult to mount the kind of mass attack you can without preauth. > So, the question I'm about to make is this: how can this be better > than NIS, for example? :) > > I can grab password hashes from NIS (either via ypcat or sniffing > the network) and run a dictionary attack on them, the same thing > I can do with kerberos it seems. What am I missing? - Not much. In principal it's the same thing, in practice one is more difficult than the other, but if you want theorectical security I suggest you look elsewhere. What kerberos prevents is users sending cleartext passwords or password equivalents over the network. > > It also doesn't seem to matter if I use DES or 3DES, as dictionary > attacks are far easier than DES. > - Now you're being silly. Of course it matters, > Has somebody implemented SRP as suggested in the paper? - Not that I know of, I told Mr. Wu it would be a good idea 5 years ago, but I don't think he much cares about kerberos, or my opinion for that matter. - The problem you have is basically the balance of convience vs. security. You have to balance the amount of secret data kept on each host you want to access vs the difficulty of moving that data around. I happen to think that Kerberos is a reasonable compromise that allows you to give authentication services to applications and people that you don't want to trust with the "keys to the kingdom". But you are absolutely correct, it does not eliminate the risk of sniffing, just cleartext passwords over the net. - Booker C. Bense
