On Thu, Jan 31, 2002 at 09:56:47AM -0500, Nicolas Williams wrote: > On Thu, Jan 31, 2002 at 08:15:13AM -0600, Jacques A. Vidrine wrote: > > On Thu, Jan 31, 2002 at 08:41:40AM -0500, Nicolas Williams wrote: > > > NIS is public. Kerberos is not. With NIS you just query the NIS servers > > > and you've got the hashes to work with. With Kerberos you must sniff the > > > wire to gather ciphertext for cryptanalysis. > > > > Only if the KDC is correctly configured, which it probably is not. > > MIT, Heimdal, and Windows 2000 implementations default with no pre- > > authentication turned on.[1] Also, even if preauthentication is on, > > one can still abuse the TGS exchange to get the material needed for a > > dictionary attack, unless the KDC administrator has been careful. > > Come now, turning on pa-enc-timestamp pre-auth is very easy and mostly > transparent. Switching to stronger pre-auth types is harder; replacing > NIS is harder still.
What's your point? You asserted above that one must eavesdrop to attack Kerberos. I assert that this is not the case in many situations. > > > In the real world today most LANs are switched and corporate WANs tend > > > to be encrypted. This makes it rather difficult to snoop on the wires. > > > (In the Internet, as opposed to the intranet, WANs are not often > > > encrypted though.) > > > > So what? ARP poisoning can be used to steal the traffic even on > > switched networks. The most serious attacks come from the inside, > > where VPNs and other measures do nothing to reduce the risk. > > With switched networks an attacker has to try some active attacks to > snoop. > > With NIS they need only "ypcat passwd" once, which will almost certainly > go undetected, and go offline. Of course I'm not trying to say that NIS is more secure or as secure as Kerberos. However, you seem to be representing that similar attacks are far more difficult or impossible with Kerberos. This is untrue. It is irresponsible to suggest that a `switched LAN' is some sort of a security measure. It is not. > With Kerberos attackers have to snoop the right network/hosts at the > right time or, if pre-auth is not required, they have to perform AS-REQs > for the principals they wish to attack *and* the must know the names of > those principals a priori. > > So with Kerberos the attacker can't try the equivalent of "ypcat passwd" > without risking detection (or even at all since the attacker would have > to know all the user principal names independently) and is very unlikely > to be able to snoop AS exchanges for many users, and if pre-auth is > turned on then they can't even accumulate ciphertext by actively trying > AS-REQs. I object: = It is not all that difficult for an attacker to arrange to sniff lots of AS exchanges. Again, I'm not comparing it to `ypcat passwd' --- but one can't just sweep this possibility under the carpet. = Even with preauthentication, you can still accumulate ciphertext _without_ eavesdropping unless the administrator has taken special precautions: precautions which (like preauthentication) are not the default policy in new installations of MIT, Heimdal, or Windows 2000 KDCs. > > > So in the real world an attacker has to be more active to perform > > > dictionary attacks on Kerberos than on NIS. > > > > Yes, a little more. > > A lot more. See above. OK, for the script kiddie, a lot more. But for the semi-sophisticated attacker --- the one you are worried about --- a little more. You have WAY too much faith in the network. > [...] > > > We need SRP or PDM as a `preauthentication'[2] method. It has been > > mentioned that John Brezak and Ken Raeburn are working on an I-D for > > one or both of these. Let's hope they produce one soon! > > I don't understand your second footnote. The word `preauthentication' implies that the AS-REQ message authenticates the user to the KDC. Neither SRP nor PDM provide authentication to the KDC in a two-message exchange. > > Active (online) dictionary attacks are easy to detect and are not a > > real risk, IMHO. > > Right, and with Kerberos you force the attacker to be far more active > than with NIS. Ergo Kerberos is significantly stronger than NIS wrt weak > passwords. And because of its pre-auth extensibility, the ability to > perform password quality checks when users change their passwords and > the ability to enforce password aging, Kerberos is really much stronger > and has a much longer useful life than NIS, which is really past its > useful life now. Again, I'm not defending NIS --- dog knows I hate it --- but Kerberos does not have a monopoly on password quality checks and password aging. This can be and are implemented in NIS shops as well. In summary, the point of our disagreement seems to be that you think requiring eavesdropping significantly raises the bar for attackers. I disagree when considering attackers other than vandals and script kiddies. A second point is that I believe there are lots of Kerberos installations out there where eavesdropping is not required to collect ciphertext for a dictionary attack. Cheers, -- Jacques A. Vidrine <[EMAIL PROTECTED]> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED]
