On Thu, Jan 31, 2002 at 09:42:51AM -0600, Jacques A. Vidrine wrote: > On Thu, Jan 31, 2002 at 09:56:47AM -0500, Nicolas Williams wrote: > > Come now, turning on pa-enc-timestamp pre-auth is very easy and mostly > > transparent. Switching to stronger pre-auth types is harder; replacing > > NIS is harder still. > > What's your point? You asserted above that one must eavesdrop > to attack Kerberos. I assert that this is not the case in many > situations.
You stated that with some Kerberos implementations the default setting is to not require pre-auth. So I explained that it's very easy to require pre-auth, because it really is. [...] > Of course I'm not trying to say that NIS is more secure or as secure > as Kerberos. However, you seem to be representing that similar > attacks are far more difficult or impossible with Kerberos. This is > untrue. It is irresponsible to suggest that a `switched LAN' is some > sort of a security measure. It is not. Such attacks are harder and are less likely to yield success against Kerberos V than against NIS. I did not say "impossible." I won't argue this further. > I object: > > = It is not all that difficult for an attacker to arrange to sniff lots > of AS exchanges. Again, I'm not comparing it to `ypcat passwd' --- > but one can't just sweep this possibility under the carpet. How hard it is to sniff lots of AS exchanges depends on the network at hand. In some cases it could be really hard; in others it could be trivial. In any case it still remains true that you can only observe AS exchanges that are being done while snooping - whereas with NIS you can get all the password hashes for a domain in one fell swoop. > = Even with preauthentication, you can still accumulate ciphertext > _without_ eavesdropping unless the administrator has taken special > precautions: precautions which (like preauthentication) are not the > default policy in new installations of MIT, Heimdal, or Windows 2000 > KDCs. It's trivial to make a KDC require pa-enc-timestamp pre-auth and is practically transparent from the clients' point of view. > > A lot more. See above. > > OK, for the script kiddie, a lot more. But for the semi-sophisticated > attacker --- the one you are worried about --- a little more. You > have WAY too much faith in the network. I said that switched networks make it harder to snoop without engaging in active (as opposed to passive) attacks. Active attacks can be detected, whereas passive snooping can't be. This argument is silly. There's always a weakness somewhere. Kerberos V is generally not the biggest weakness. The original poster wanted to know whether Kerberos is more secure than NIS. Kerberos V is much more secure than NIS, though it only replaces the authentication functionality of NIS, not the name service functionality. [...] > > I don't understand your second footnote. > > The word `preauthentication' implies that the AS-REQ message > authenticates the user to the KDC. Neither SRP nor PDM provide > authentication to the KDC in a two-message exchange. Ah, yes. True. Multi-round-trip pre-auth is acceptable to me and nothing in RFC1510 prevents multi-round-trip pre-auth designs. [...] > Again, I'm not defending NIS --- dog knows I hate it --- but Kerberos > does not have a monopoly on password quality checks and password > aging. This can be and are implemented in NIS shops as well. Not centrally. And the NIS password changing protocol is horribly weak (it requires sending the old password in cleartext). > In summary, the point of our disagreement seems to be that you think > requiring eavesdropping significantly raises the bar for attackers. Well, yes, it does for dictionary attacks, as compared with NIS. Mind you, if you only use NIS and not Kerberos then you can probably sniff cleartext passwords because you probably also use telnet, ftp and friends. But I would not argue that making snooping difficult is enough, by itself, to make anything secure. It is merely a mitigation. > I disagree when considering attackers other than vandals and script > kiddies. A second point is that I believe there are lots of Kerberos > installations out there where eavesdropping is not required to collect > ciphertext for a dictionary attack. Those sites can fix themselves fairly easily, unless they are running really, really old Kerberos V software. > Cheers, > -- > Jacques A. Vidrine <[EMAIL PROTECTED]> http://www.nectar.cc/ Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
