|
DataMuseum.dkPresents historical artifacts from the history of: DKUUG/EUUG Conference tapes |
This is an automatic "excavation" of a thematic subset of
See our Wiki for more about DKUUG/EUUG Conference tapes Excavated with: AutoArchaeologist - Free & Open Source Software. |
top - metrics - downloadIndex: T U
Length: 149544 (0x24828)
Types: TextFile
Notes: Uncompressed file
└─⟦4f9d7c866⟧ Bits:30007245 EUUGD6: Sikkerheds distributionen
└─⟦de280d66e⟧ »./papers/Kerberos/kerblimit.usenix.ps.Z«
└─⟦this⟧
%!PS
%%Version: 3.1
%%DocumentFonts: (atend)
%%Pages: (atend)
%%EndComments
%
% Version 3.1 prologue for troff files.
%
/#copies 1 store
/aspectratio 1 def
/formsperpage 1 def
/landscape false def
/linewidth .3 def
/magnification 1 def
/margin 0 def
/orientation 0 def
/resolution 720 def
/xoffset 0 def
/yoffset 0 def
/roundpage true def
/useclippath true def
/pagebbox [0 0 612 792] def
/R /Times-Roman def
/I /Times-Italic def
/B /Times-Bold def
/BI /Times-BoldItalic def
/H /Helvetica def
/HI /Helvetica-Oblique def
/HB /Helvetica-Bold def
/HX /Helvetica-BoldOblique def
/CW /Courier def
/CO /Courier def
/CI /Courier-Oblique def
/CB /Courier-Bold def
/CX /Courier-BoldOblique def
/PA /Palatino-Roman def
/PI /Palatino-Italic def
/PB /Palatino-Bold def
/PX /Palatino-BoldItalic def
/Hr /Helvetica-Narrow def
/Hi /Helvetica-Narrow-Oblique def
/Hb /Helvetica-Narrow-Bold def
/Hx /Helvetica-Narrow-BoldOblique def
/KR /Bookman-Light def
/KI /Bookman-LightItalic def
/KB /Bookman-Demi def
/KX /Bookman-DemiItalic def
/AR /AvantGarde-Book def
/AI /AvantGarde-BookOblique def
/AB /AvantGarde-Demi def
/AX /AvantGarde-DemiOblique def
/NR /NewCenturySchlbk-Roman def
/NI /NewCenturySchlbk-Italic def
/NB /NewCenturySchlbk-Bold def
/NX /NewCenturySchlbk-BoldItalic def
/ZD /ZapfDingbats def
/ZI /ZapfChancery-MediumItalic def
/VR /Varitimes#Roman def
/VI /Varitimes#Italic def
/VB /Varitimes#Bold def
/VX /Varitimes#BoldItalic def
/S /S def
/S1 /S1 def
/GR /Symbol def
/inch {72 mul} bind def
/min {2 copy gt {exch} if pop} bind def
/setup {
counttomark 2 idiv {def} repeat pop
landscape {/orientation 90 orientation add def} if
/scaling 72 resolution div def
linewidth setlinewidth
1 setlinecap
pagedimensions
xcenter ycenter translate
orientation neg rotate
width 2 div neg height 2 div translate
xoffset inch yoffset inch neg translate
margin 2 div dup neg translate
magnification dup aspectratio mul scale
scaling scaling scale
/Symbol /S Sdefs cf
/Times-Roman /S1 S1defs cf
0 0 moveto
} def
/pagedimensions {
useclippath userdict /gotpagebbox known not and {
/pagebbox [clippath pathbbox newpath] def
roundpage currentdict /roundpagebbox known and {roundpagebbox} if
} if
pagebbox aload pop
4 -1 roll exch 4 1 roll 4 copy
landscape {4 2 roll} if
sub /width exch def
sub /height exch def
add 2 div /xcenter exch def
add 2 div /ycenter exch def
userdict /gotpagebbox true put
} def
/pagesetup {
/page exch def
currentdict /pagedict known currentdict page known and {
page load pagedict exch get cvx exec
} if
} def
/decodingdefs [
{counttomark 2 idiv {y moveto show} repeat}
{neg /y exch def counttomark 2 idiv {y moveto show} repeat}
{neg moveto {2 index stringwidth pop sub exch div 0 32 4 -1 roll widthshow} repeat}
{neg moveto {spacewidth sub 0.0 32 4 -1 roll widthshow} repeat}
{counttomark 2 idiv {y moveto show} repeat}
{neg setfunnytext}
] def
/setdecoding {/t decodingdefs 3 -1 roll get bind def} bind def
/w {neg moveto show} bind def
/m {neg dup /y exch def moveto} bind def
/done {/lastpage where {pop lastpage} if} def
/f {
dup /font exch def findfont exch
dup /ptsize exch def scaling div dup /size exch def scalefont setfont
linewidth ptsize mul scaling 10 mul div setlinewidth
/spacewidth ( ) stringwidth pop def
} bind def
/sf {f} bind def
/cf {
dup length 2 idiv
/entries exch def
/chtab exch def
/newfont exch def
findfont dup length 1 add dict
/newdict exch def
{1 index /FID ne {newdict 3 1 roll put} {pop pop} ifelse} forall
newdict /Metrics entries dict put
newdict /Metrics get
begin
chtab aload pop
1 1 entries {pop def} for
newfont newdict definefont pop
end
} bind def
%
% A few arrays used to adjust reference points and character widths in some
% of the printer resident fonts. If square roots are too high try changing
% the lines describing /radical and /radicalex to,
%
% /radical [0 -75 550 0]
% /radicalex [-50 -75 500 0]
%
/Sdefs [
/bracketlefttp [220 500]
/bracketleftbt [220 500]
/bracketrighttp [-70 380]
/bracketrightbt [-70 380]
/braceleftbt [220 490]
/bracketrightex [220 -125 500 0]
/radical [0 0 550 0]
/radicalex [-50 0 500 0]
/parenleftex [-20 -170 0 0]
/integral [100 -50 500 0]
/infinity [10 -75 730 0]
] def
/S1defs [
/underscore [0 80 500 0]
/endash [7 90 650 0]
] def
%%EndProlog
%%BeginSetup
mark
/resolution 720 def
setup
2 setdecoding
%%EndSetup
%%Page: 1 1
save
mark
1 pagesetup
22 B f
(Limitations of the Kerberos)3 2665 1 1907 782 t
(Authentication System\262)1 2262 1 2109 1002 t
12 R f
(Steven M. Bellovin)2 959 1 2074 1194 t
12 S1 f
(\261)3073 1194 w
12 R f
(AT&T Bell Laboratories)2 1214 1 3191 1194 t
(Michael Merritt)1 776 1 2166 1314 t
12 S1 f
(\261)2982 1314 w
12 R f
(AT&T Bell Laboratories)2 1214 1 3100 1314 t
12 B f
(ABSTRACT)2914 1578 w
10 R f
( has been)2 421(The Kerberos authentication system, a part of MIT's Project Athena,)9 2963 2 1656 1781 t
( Kerberos's many strengths, it has a number of)8 1938( Despite)1 373(adopted by other organizations.)3 1289 3 1440 1891 t
( environment;)1 572( are due to speci\256cs of the MIT)7 1341( Some)1 299(limitations and some weaknesses.)3 1388 4 1440 2001 t
( discuss a number of such)5 1164( We)1 223( in the protocol design.)4 1027(others represent de\256ciencies)2 1186 4 1440 2111 t
( also demonstrate how special-)4 1303( We)1 214( them.)1 268(problems, and present solutions to some of)6 1815 4 1440 2221 t
(purpose cryptographic hardware may be needed in some cases.)8 2576 1 1440 2331 t
10 B f
(INTRODUCTION)1598 2551 w
10 R f
(The Kerberos authentication system)3 1466 1 1116 2716 t
8 R f
([Stei88, Mill87,)1 514 1 2582 2716 t
(Brya88])900 2826 w
10 R f
( the needs of)3 552(was introduced by MIT to meet)5 1342 2 1202 2826 t
( has since been adopted by a)6 1376( It)1 159(Project Athena.)1 661 3 900 2936 t
( other organizations for their own pur-)6 1746(number of)1 450 2 900 3046 t
( a possible standard.)3 855(poses, and is being discussed as)5 1341 2 900 3156 t
( premature.)1 467(In our view, both these decisions may be)7 1729 2 900 3266 t
( and)1 287(Kerberos has a number of limitations)5 1909 2 900 3376 t
(weaknesses; a decision to adopt or reject it cannot)8 2196 1 900 3486 t
( issues.)1 316(properly be made without considering these)5 1880 2 900 3596 t
(\(A)900 3706 w
10 I f
(limitation)1039 3706 w
10 R f
( feature that is not as general as one)8 1488(is a)1 145 2 1463 3706 t
(might like, while a)3 807 1 900 3816 t
10 I f
(weakness)1751 3816 w
10 R f
(could be exploited by)3 923 1 2173 3816 t
( to defeat the authentication mechanism.\))5 1742(an attacker)1 454 2 900 3926 t
( current)1 324(Some improvements can be made within the)6 1872 2 900 4036 t
( optional mechanisms would)3 1294( for)1 191(design. Support)1 711 3 900 4146 t
( to environments radi-)3 921(extend Kerberos's applicability)2 1275 2 900 4256 t
(cally different from MIT.)3 1038 1 900 4366 t
(These problems fall into several categories.)5 1980 1 1116 4509 t
( the Project Athena environment.)4 1463(Some stem from)2 733 2 900 4619 t
( environment; if the)3 863(Kerberos was designed for that)4 1333 2 900 4729 t
( system)1 334(basic assumptions differ, the authentication)4 1862 2 900 4839 t
( problems are)2 561( Other)1 293(may need to be changed as well.)6 1342 3 900 4949 t
( of)1 124( Some)1 302( the protocol design.)3 864(simply de\256ciencies in)2 906 4 900 5059 t
( the proposed Version 5 of)5 1242(these are corrected in)3 954 2 900 5169 t
(Kerberos,)900 5279 w
8 R f
([Kohl89])1290 5279 w
10 R f
( the solved prob-)3 725( Even)1 280( all.)1 167(but not)1 299 4 1625 5279 t
( the code for Version 4)5 1017(lems merit discussion, since)3 1179 2 900 5389 t
( prob-)1 263( some)1 259( Finally,)1 390(has been widely disseminated.)3 1284 4 900 5499 t
( are not solvable without employ-)5 1396(lems with Kerberos)2 800 2 900 5609 t
( what the)2 440(ing special-purpose hardware, no matter)4 1756 2 900 5719 t
( each of)2 377( will consider)2 604( We)1 226(design of the protocol.)3 989 4 900 5829 t
(these areas in turn.)3 772 1 900 5939 t
( not suggesting)2 660(We wish to stress that we are)6 1320 2 1116 6082 t
( the contrary \320 an)4 848( Quite)1 305(that Kerberos is useless.)3 1043 3 900 6192 t
(attacker capable of carrying out any of the attacks)8 2196 1 900 6302 t
( of)1 120(listed here could penetrate a typical network)6 1846 2 900 6412 t
8 R f
(UNIX)2896 6412 w
10 R f
( to a net-)3 403( Kerberos)1 406( Adding)1 374(systems far more easily.)3 1013 4 900 6522 t
( circumstances,)1 700(work will, under virtually all)4 1496 2 900 6632 t
(signi\256cantly increase its security; our criticisms focus)6 2196 1 900 6742 t
cleartomark restore
%%BeginGlobal
%
% Version 3.1 drawing procedures for dpost. Automatically pulled in, but only
% when needed.
%
/inpath false def
/savematrix matrix currentmatrix def
/Dl {
inpath
{pop pop neg lineto}
{newpath neg moveto neg lineto stroke}
ifelse
} bind def
/De {
/y1 exch 2 div def
/x1 exch 2 div def
neg exch x1 add exch translate
x1 y1 scale
0 0 1 0 360
inpath
{1 0 moveto arc savematrix setmatrix}
{newpath arc savematrix setmatrix stroke}
ifelse
} bind def
/Da {
/dy2 exch def
/dx2 exch def
/dy1 exch def
/dx1 exch def
dy1 add neg exch dx1 add exch
dx1 dx1 mul dy1 dy1 mul add sqrt
dy1 dx1 neg atan
dy2 neg dx2 atan
inpath
{arc}
{newpath arc stroke}
ifelse
} bind def
/DA {
/dy2 exch def
/dx2 exch def
/dy1 exch def
/dx1 exch def
dy1 add neg exch dx1 add exch
dx1 dx1 mul dy1 dy1 mul add sqrt
dy1 dx1 neg atan
dy2 neg dx2 atan
inpath
{arcn}
{newpath arcn stroke}
ifelse
} bind def
/Ds {
/y2 exch def
/x2 exch def
/y1 exch def
/x1 exch def
/y0 exch def
/x0 exch def
x0 5 x1 mul add 6 div
y0 5 y1 mul add -6 div
x2 5 x1 mul add 6 div
y2 5 y1 mul add -6 div
x1 x2 add 2 div
y1 y2 add -2 div
inpath
{curveto}
{newpath x0 x1 add 2 div y0 y1 add -2 div moveto curveto stroke}
ifelse
} bind def
%%EndGlobal
save mark
16 R f
1980 6891 900 6891 Dl
9 R f
( October,)1 362(\262A version of this paper was published in the)8 1834 2 900 6991 t
(1990 issue of)2 495 1 900 7091 t
9 I f
(Computer Communications Review)2 1290 1 1425 7091 t
9 R f
(.)2715 7091 w
10 R f
( Further,)1 386(on the extent to which security is improved.)7 1810 2 3384 2551 t
( to the protocols that substan-)5 1220(we recommend changes)2 976 2 3384 2661 t
(tially increase security.)2 939 1 3384 2771 t
( speci\256c utility in production, Ker-)5 1523(Beyond its)1 457 2 3600 2914 t
( function by focusing interest on)5 1346(beros serves a major)3 850 2 3384 3024 t
( the network authentication)3 1255(practical solutions to)2 941 2 3384 3134 t
( elegant protocol design and wide avai-)6 1617(problem. The)1 579 2 3384 3244 t
( audience.)1 422(lability of the code has galvanized a wide)7 1774 2 3384 3354 t
( our critique is intended to)5 1117(Far from a condemnation,)3 1079 2 3384 3464 t
(contribute to an understanding of Kerberos's proper-)6 2196 1 3384 3574 t
( of)1 144(ties and to in\257uence its evolution into a tool)8 2052 2 3384 3684 t
(greater power and utility.)3 1033 1 3384 3794 t
(Several of the problems we point out are men-)8 1980 1 3600 3937 t
( paper or)2 558(tioned in the original Kerberos)4 1638 2 3384 4047 t
(elsewhere.)3384 4157 w
8 R f
([Davi90])3807 4157 w
10 R f
( pro-)1 203(For some of these, we present)5 1247 2 4130 4157 t
( solve, or at least ameliorate,)5 1200(tocol improvements that)2 996 2 3384 4267 t
( squarely in)2 514(the problem; for others, we place them)6 1682 2 3384 4377 t
(the context of the intended Kerberos environment.)6 2058 1 3384 4487 t
10 B f
(Version 5, Draft 3)3 789 1 3384 4734 t
10 R f
( of the)2 279(Since this paper was written, a new draft)7 1701 2 3600 4871 t
( \256nal)1 238( protocol has been released, and a)6 1559(Version 5)1 399 3 3384 4981 t
( promised.)1 444(speci\256cation is)1 618 2 3384 5091 t
8 R f
([Kohl90])4446 5091 w
10 R f
(Many of the prob-)3 795 1 4785 5091 t
( Others)1 339( have been corrected.)3 891(lems we discuss herein)3 966 3 3384 5201 t
( The)1 239( we have found a few new ones.)7 1461(remain, and)1 496 3 3384 5311 t
( as we)2 293(ultimate resolution of these issues is unclear)6 1903 2 3384 5421 t
( a brief analysis of)4 949( Consequently,)1 685(go to press.)2 562 3 3384 5531 t
( presented in an appendix, rather than in)7 1784( is)1 119(Draft 3)1 293 3 3384 5641 t
(the main body of the document.)5 1311 1 3384 5751 t
10 B f
(Focus on Security)2 777 1 3384 5998 t
10 R f
( though we)2 480(Kerberos is a security system; thus,)5 1500 2 3600 6135 t
( and ef\256ciency, our)3 878(address issues of functionality)3 1318 2 3384 6245 t
(primary emphasis is on the security of Kerberos in a)9 2196 1 3384 6355 t
( that security-)2 661( means)1 337( This)1 293(general environment.)1 905 4 3384 6465 t
( few in number and)4 940(critical assumptions must be)3 1256 2 3384 6575 t
( network)1 383( the widest utility, the)4 998( For)1 229(stated clearly.)1 586 4 3384 6685 t
( Speci\256cally,)1 564(must be considered as completely open.)5 1632 2 3384 6795 t
( network is)2 464(the protocols should be secure even if the)7 1732 2 3384 6905 t
10 B f
(USENIX)900 7450 w
10 S1 f
(\261)1311 7450 w
10 B f
(Winter '91)1 471 1 1409 7450 t
10 S1 f
(\261)1913 7450 w
10 B f
(Dallas, TX)1 464 1 2011 7450 t
10 R f
(1)5530 7450 w
cleartomark
showpage
restore
%%EndPage: 1 1
%%Page: 2 2
save
mark
2 pagesetup
10 B f
( & Merritt)2 469( Bellovin)1 3284(Kerberos Limitations)1 927 3 540 322 t
10 R f
( complete control of an adversary.)5 1518(under the)1 404 2 540 672 t
8 I f
(1)2462 640 w
10 R f
(This)2558 672 w
(means that defeating the protocol should require the)7 2196 1 540 782 t
(adversary to invert the encryption algorithm or to)7 2196 1 540 892 t
( to be)2 348(subvert a principal speci\256cally assumed)4 1848 2 540 1002 t
( such a strong design goal can jus-)7 1443(trustworthy. Only)1 753 2 540 1112 t
( doors in)2 384( ``steel)1 292( \(No)1 231(tify the expense of encryption.)4 1289 4 540 1222 t
( believe that Kerberos can meet)5 1375( We)1 218(paper walls''.\))1 603 3 540 1332 t
( goal with only minor modi\256cations,)5 1602(this ambitious)1 594 2 540 1442 t
(retaining its essential character.)3 1282 1 540 1552 t
( bear a performance)3 895(Some of our suggestions)3 1085 2 756 1695 t
( the design of suggested)4 1080(penalty; others complicate)2 1116 2 540 1805 t
( more organizations make use of)5 1415(enhancements. As)1 781 2 540 1915 t
( its func-)2 389(Kerberos, pressures to enhance or augment)5 1807 2 540 2025 t
( has)1 187( Security)1 419(tionality and ef\256ciency will increase.)4 1590 3 540 2135 t
( There)1 327(real costs, and the bene\256ts are intangible.)6 1869 2 540 2245 t
( and explicit emphasis on secu-)5 1321(must be a continuing)3 875 2 540 2355 t
(rity as the overriding requirement.)4 1399 1 540 2465 t
10 B f
(Validation)540 2712 w
10 R f
( to design and implement a)5 1205(It is not suf\256cient)3 775 2 756 2849 t
( though apparently)2 819( systems,)1 403( Such)1 294(security system.)1 680 4 540 2959 t
( \257aws.)1 298(adequate when designed, may have serious)5 1898 2 540 3069 t
(Consequently, systems must be subjected to the)6 2196 1 540 3179 t
( consequence of this is)4 948( A)1 141( possible.)1 389(strongest scrutiny)1 718 4 540 3289 t
( be designed and implemented in a)6 1567(that they must)2 629 2 540 3399 t
( has a)2 251( Kerberos)1 434(manner that facilitates such scrutiny.)4 1511 3 540 3509 t
(number of problems in this area as well.)7 1659 1 540 3619 t
10 B f
(WHAT'S A KERBEROS?)2 1151 1 1062 3811 t
10 R f
( it is)2 225(Before discussing speci\256c problem areas,)4 1755 2 756 3976 t
( is)1 116( Kerberos)1 447(helpful to review Kerberos Version 4.)5 1633 3 540 4086 t
(an)540 4196 w
10 I f
(authentication)682 4196 w
10 R f
( a)1 93(system; it provides evidence of)4 1335 2 1308 4196 t
10 I f
(principal)540 4306 w
10 R f
( either a)2 343( principal is generally)3 904( A)1 142('s identity.)1 440 4 907 4306 t
( A)1 163( on some machine.)3 848(user or a particular service)4 1185 3 540 4416 t
(principal consists of the three-tuple)4 1441 1 540 4526 t
10 S1 f
(<)915 4680 w
10 I f
(primaryname)987 4680 w
10 R f
(,)1533 4680 w
10 I f
(instance)1607 4680 w
10 R f
(,)1948 4680 w
10 I f
(realm)2022 4680 w
10 S1 f
(>)2279 4680 w
10 R f
(.)2335 4680 w
( principal is a user \320 a genuine person \320 the)10 1970(If the)1 226 2 540 4834 t
10 I f
(primary name)1 573 1 540 4944 t
10 R f
( the)1 156(is the login identi\256er, and)4 1065 2 1148 4944 t
10 I f
(instance)2403 4944 w
10 R f
( particular attributes of the)4 1111(is either null or represents)4 1085 2 540 5054 t
(user, i.e.,)1 380 1 540 5164 t
10 CW f
(root)962 5164 w
10 R f
( service name is)3 688( a service, the)3 599(. For)1 239 3 1210 5164 t
( name is)2 371(used as the primary name and the machine)7 1825 2 540 5274 t
( instance, i.e.,)2 601(used as the)2 492 2 540 5384 t
10 CW f
(rlogin.myhost)1684 5384 w
10 R f
(. The)1 264 1 2472 5384 t
10 I f
(realm)540 5494 w
10 R f
( authen-)1 340(is used to distinguish among different)5 1583 2 813 5494 t
(tication domains; thus, there need not be one giant)8 2196 1 540 5604 t
( Kerberos database)2 852(\320 and universally trusted \320)4 1344 2 540 5714 t
(serving an entire company.)3 1105 1 540 5824 t
16 R f
1620 6391 540 6391 Dl
8 R f
(1)606 6459 w
9 R f
(The Project Athena Technical Plan)4 1466 1 646 6491 t
7 R f
([Mill87, section 2])2 624 1 2112 6491 t
9 R f
( simpler threat environment, where eavesdrop-)5 1778(describes a)1 418 2 540 6591 t
( concern.)1 375(ping and host impersonation are of primary)6 1821 2 540 6691 t
( no means)2 388(While this may be appropriate for MIT, it is by)9 1808 2 540 6791 t
( situation where)2 622( for example, a)3 608( Consider,)1 423(generally true.)1 543 4 540 6891 t
(general-purpose hosts also function as routers, and packet)7 2196 1 540 6991 t
(modi\256cation or deletion become signi\256cant concerns.)5 1968 1 540 7091 t
10 R f
5180 672 2984 672 Dl
( Notation)1 416(Table 1:)1 338 2 3744 1002 t
10 I f
(c)3086 1222 w
10 R f
(client principal)1 610 1 3653 1222 t
10 I f
(s)3086 1332 w
10 R f
(server principal)1 631 1 3653 1332 t
10 I f
(tgs)3086 1442 w
10 R f
(ticket-granting server)1 864 1 3653 1442 t
10 I f
(K)3086 1552 w
7 I f
(x)3164 1572 w
10 R f
(private key of ``)3 669 1 3653 1552 t
10 I f
(x)4322 1552 w
10 R f
('')4366 1552 w
10 I f
(K)3086 1662 w
7 I f
(c)3164 1682 w
7 R f
(,)3200 1682 w
7 I f
(s)3223 1682 w
10 R f
(session key for ``)3 714 1 3653 1662 t
10 I f
(c)4367 1662 w
10 R f
('' and ``)2 342 1 4411 1662 t
10 I f
(s)4753 1662 w
10 R f
('')4792 1662 w
10 S f
({)3086 1772 w
10 I f
( o)1 58(in f)1 122 2 3142 1772 t
10 S f
(})3330 1772 w
10 I f
(K)3386 1772 w
7 I f
(x)3464 1792 w
10 R f
(``)3653 1772 w
10 I f
( o)1 58(in f)1 122 2 3719 1772 t
10 R f
('' encrypted in key)3 780 1 3899 1772 t
10 I f
(K)4712 1772 w
7 I f
(x)4790 1792 w
10 S f
({)3086 1882 w
10 I f
(T)3142 1882 w
7 I f
(c)3209 1902 w
7 R f
(,)3245 1902 w
7 I f
(s)3268 1902 w
10 S f
(})3311 1882 w
10 I f
(K)3367 1882 w
7 I f
(s)3445 1902 w
10 R f
(Encrypted ticket for ``)3 913 1 3653 1882 t
10 I f
(c)4566 1882 w
10 R f
('' to use ``)3 442 1 4610 1882 t
10 I f
(s)5052 1882 w
10 R f
('')5091 1882 w
10 S f
({)3086 1992 w
10 I f
(A)3142 1992 w
7 I f
(c)3214 2012 w
10 S f
(})3261 1992 w
10 I f
(K)3317 1992 w
7 I f
(c)3395 2012 w
7 R f
(,)3431 2012 w
7 I f
(s)3454 2012 w
10 R f
(Encrypted authenticator for ``)3 1212 1 3653 1992 t
10 I f
(c)4865 1992 w
10 R f
('' to)1 177 1 4909 1992 t
(use ``)1 232 1 3782 2102 t
10 I f
(s)4014 2102 w
10 R f
('')4053 2102 w
10 I f
(addr)3086 2212 w
10 R f
(client's IP address)2 748 1 3653 2212 t
5180 2432 2984 2432 Dl
(Kerberos principals may obtain)3 1319 1 3240 2795 t
10 I f
(tickets)4606 2795 w
10 R f
(for ser-)1 312 1 4908 2795 t
( server known as the)4 972(vices from a special)3 912 2 3024 2905 t
10 I f
(ticket-)4971 2905 w
(granting server)1 637 1 3024 3015 t
10 R f
(, or)1 151 1 3661 3015 t
10 I f
(TGS)3855 3015 w
10 R f
( ticket contains assorted)3 1014(. A)1 173 2 4033 3015 t
( principal, encrypted in)3 1037(information identifying the)2 1159 2 3024 3125 t
( is summar-)2 498( \(Notation)1 454( key of the service.)4 808(the private)1 436 4 3024 3235 t
(ized in Table 1.\))3 678 1 3024 3345 t
10 S f
({)2971 3499 w
10 I f
(T)3027 3499 w
7 I f
(c)3094 3519 w
7 R f
(,)3130 3519 w
7 I f
(s)3153 3519 w
10 S f
(})3196 3499 w
10 I f
(K)3252 3499 w
7 I f
(s)3330 3519 w
10 S f
(= {)1 119 1 3381 3499 t
10 I f
(s)3508 3499 w
10 R f
(,)3555 3499 w
10 I f
(c)3629 3499 w
10 R f
(,)3681 3499 w
10 I f
(addr)3755 3499 w
10 R f
(,)3952 3499 w
10 I f
(timestamp)4026 3499 w
10 R f
(,)4445 3499 w
10 I f
( etime)1 224(li f)1 100 2 4519 3499 t
10 R f
(,)4851 3499 w
10 I f
(K)4925 3499 w
7 I f
(c)5003 3519 w
7 R f
(,)5039 3519 w
7 I f
(s)5062 3519 w
10 S f
(})5105 3499 w
10 I f
(K)5161 3499 w
7 I f
(s)5239 3519 w
10 R f
( and the service share the private)6 1361(Since only Kerberos)2 835 2 3024 3653 t
(key)3024 3763 w
10 I f
(K)3221 3763 w
7 I f
(s)3299 3783 w
10 R f
( The)1 242( be authentic.)2 593(, the ticket is known to)5 1051 3 3334 3763 t
( new private session key,)4 1185(ticket contains a)2 743 2 3024 3873 t
10 I f
(K)5023 3873 w
7 I f
(c)5101 3893 w
7 R f
(,)5137 3893 w
7 I f
(s)5160 3893 w
10 R f
(,)5195 3873 w
( well; this key may be used to)7 1275(known to the client as)4 921 2 3024 3983 t
(encrypt transactions during the session.)4 1605 1 3024 4093 t
8 I f
(2)4629 4061 w
10 R f
(To guard against)2 765 1 3240 4236 t
10 I f
(replay attacks)1 611 1 4077 4236 t
10 R f
(, all tickets)2 532 1 4688 4236 t
(presented are accompanied by an)4 1355 1 3024 4346 t
10 I f
(authenticator)4412 4346 w
10 R f
(:)4951 4346 w
10 S f
({)3327 4500 w
10 I f
(A)3383 4500 w
7 I f
(c)3455 4520 w
10 S f
(})3502 4500 w
10 I f
(K)3558 4500 w
7 I f
(c)3636 4520 w
7 R f
(,)3672 4520 w
7 I f
(s)3695 4520 w
10 S f
(= {)1 119 1 3746 4500 t
10 I f
(c)3873 4500 w
10 R f
(,)3925 4500 w
10 I f
(addr)3999 4500 w
10 R f
(,)4196 4500 w
10 I f
(timestamp)4270 4500 w
10 S f
(})4689 4500 w
10 I f
(K)4745 4500 w
7 I f
(c)4823 4520 w
7 R f
(,)4859 4520 w
7 I f
(s)4882 4520 w
10 R f
( string encrypted in the session key)6 1566(This is a brief)3 630 2 3024 4654 t
( time does not)3 663(and containing a timestamp; if the)5 1533 2 3024 4764 t
( the \(predetermined\))2 882(match the current time within)4 1314 2 3024 4874 t
(clock skew limits, the request is assumed to be)8 2196 1 3024 4984 t
(fraudulent.)3024 5094 w
( client needs bidirectional)3 1056(For services where the)3 924 2 3240 5237 t
(authentication, the server can reply with)5 1642 1 3024 5347 t
10 S f
({)3698 5501 w
10 I f
(timestamp)3754 5501 w
10 S f
(+)4189 5501 w
10 R f
(1)4260 5501 w
10 S f
(})4318 5501 w
10 I f
(K)4374 5501 w
7 I f
(c)4452 5521 w
7 R f
(,)4488 5521 w
7 I f
(s)4511 5521 w
10 R f
( the server was able to read)6 1241(This demonstrates that)2 955 2 3024 5655 t
10 I f
(timestamp)3024 5765 w
10 R f
( that it)2 302(from the authenticator, and hence)4 1434 2 3484 5765 t
(knew)3024 5875 w
10 I f
(K)3273 5875 w
7 I f
(c)3351 5895 w
7 R f
(,)3387 5895 w
7 I f
(s)3410 5895 w
10 R f
(; that in turn is only available in the ticket,)9 1775 1 3445 5875 t
(which is encrypted in the server's private key.)7 1896 1 3024 5985 t
( the TGS by sending)4 898(Tickets are obtained from)3 1082 2 3240 6128 t
(a)3024 6238 w
10 I f
(request)3101 6238 w
(s)3539 6392 w
10 R f
(,)3586 6392 w
10 S f
({)3660 6392 w
10 I f
(T)3716 6392 w
7 I f
(c)3783 6412 w
7 R f
(,)3819 6412 w
7 I f
(tgs)3842 6412 w
10 S f
(})3940 6392 w
10 I f
(K)3996 6392 w
7 I f
(tgs)4074 6412 w
10 R f
(,)4172 6392 w
10 S f
({)4246 6392 w
10 I f
(A)4302 6392 w
7 I f
(c)4374 6412 w
10 S f
(})4421 6392 w
10 I f
(K)4477 6392 w
7 I f
(c)4555 6412 w
7 R f
(,)4591 6412 w
7 I f
(tgs)4614 6412 w
10 R f
( words, an ordinary ticket/authenticator pair)5 1862(In other)1 334 2 3024 6546 t
( known as the)3 639(is used; the ticket is)4 909 2 3024 6656 t
10 I f
(ticket-granting)4626 6656 w
16 R f
4104 6791 3024 6791 Dl
8 R f
(2)3090 6859 w
9 R f
(Technically speaking,)1 806 1 3130 6891 t
9 I f
(K)3974 6891 w
6 I f
(c)4044 6909 w
6 R f
(,)4075 6909 w
6 I f
(s)4095 6909 w
9 R f
(is a)1 138 1 4163 6891 t
9 I f
(multi-session key)1 634 1 4339 6891 t
9 R f
(, since)1 247 1 4973 6891 t
( contacts with that server during the life of)8 1598(it is used for all)4 598 2 3024 6991 t
(the ticket.)1 363 1 3024 7091 t
10 B f
(2 USENIX)1 3483 1 540 7450 t
10 S1 f
(\261)4056 7450 w
10 B f
(Winter '91)1 471 1 4154 7450 t
10 S1 f
(\261)4658 7450 w
10 B f
(Dallas, TX)1 464 1 4756 7450 t
cleartomark
showpage
restore
%%EndPage: 2 2
%%Page: 3 3
save
mark
3 pagesetup
10 B f
( Limitations)1 528( Kerberos)1 3332(Bellovin & Merritt)2 820 3 900 322 t
10 I f
(ticket)900 672 w
10 R f
( for server)2 445( TGS responds with a ticket)5 1198(. The)1 255 3 1116 672 t
10 I f
(s)3057 672 w
10 R f
(and a copy of)3 585 1 900 782 t
10 I f
(K)1525 782 w
7 I f
(c)1603 802 w
7 R f
(,)1639 802 w
7 I f
(s)1662 802 w
10 R f
( private key)2 499(, all encrypted with a)4 900 2 1697 782 t
(shared by the TGS and the principal:)6 1518 1 900 892 t
10 S f
({ {)1 104 1 1521 1046 t
10 I f
(T)1633 1046 w
7 I f
(c)1700 1066 w
7 R f
(,)1736 1066 w
7 I f
(s)1759 1066 w
10 S f
(})1802 1046 w
10 I f
(K)1858 1046 w
7 I f
(s)1936 1066 w
10 R f
(,)1979 1046 w
10 I f
(K)2012 1046 w
7 I f
(c)2090 1066 w
7 R f
(,)2126 1066 w
7 I f
(s)2149 1066 w
10 S f
(})2192 1046 w
10 I f
(K)2248 1046 w
7 I f
(c)2326 1066 w
7 R f
(,)2362 1066 w
7 I f
(tgs)2385 1066 w
10 R f
(The session key)2 654 1 900 1200 t
10 I f
(K)1587 1200 w
7 I f
(c)1665 1220 w
7 R f
(,)1701 1220 w
7 I f
(s)1724 1220 w
10 R f
(is a newly-chosen random key.)4 1271 1 1792 1200 t
(The key)1 362 1 1116 1343 t
10 I f
(K)1541 1343 w
7 I f
(c)1619 1363 w
7 R f
(,)1655 1363 w
7 I f
(tgs)1678 1363 w
10 R f
(and the ticket-granting ticket)3 1265 1 1831 1343 t
( client)1 268( The)1 234(itself, are obtained at session-start time.)5 1694 3 900 1453 t
(sends a message to Kerberos with a principal name;)8 2196 1 900 1563 t
(Kerberos responds with)2 964 1 900 1673 t
10 S f
({)1493 1827 w
10 I f
(K)1549 1827 w
7 I f
(c)1627 1847 w
7 R f
(,)1663 1847 w
7 I f
(tgs)1686 1847 w
10 R f
(,)1784 1827 w
10 S f
({)1817 1827 w
10 I f
(T)1873 1827 w
7 I f
(c)1940 1847 w
7 R f
(,)1976 1847 w
7 I f
(tgs)1999 1847 w
10 S f
(})2097 1827 w
10 I f
(K)2153 1827 w
7 I f
(tgs)2231 1847 w
10 S f
(})2329 1827 w
10 I f
(K)2385 1827 w
7 I f
(c)2463 1847 w
10 R f
(The client key)2 617 1 900 1981 t
10 I f
(K)1565 1981 w
7 I f
(c)1643 2001 w
10 R f
(is derived from a non-invertible)4 1366 1 1730 1981 t
( all)1 154( Thus,)1 312(transform of the user's typed password.)5 1730 3 900 2091 t
(privileges depend ultimately on this one key.)6 1844 1 900 2201 t
( of)1 129(Note that servers must possess private keys)6 1851 2 1116 2344 t
( keys)1 234( These)1 322( to decrypt tickets.)3 816(their own, in order)3 824 4 900 2454 t
( location on the server's)4 1159(are stored in a secure)4 1037 2 900 2564 t
(machine.)900 2674 w
10 B f
(THE KERBEROS ENVIRONMENT)2 1607 1 1194 2866 t
10 R f
( environment)1 586(The Project Athena computing)3 1394 2 1116 3031 t
( less)1 240(consists of a large number of more or)7 1956 2 900 3141 t
( and a smaller number of)5 1145(anonymous workstations,)1 1051 2 900 3251 t
( pro-)1 203( servers)1 320( The)1 226(large autonomous server machines.)3 1447 4 900 3361 t
(vide volatile \256le storage, print spooling, mailboxes,)6 2196 1 900 3471 t
( some computing power; the worksta-)5 1682(and perhaps)1 514 2 900 3581 t
( for most interaction and computing.)5 1595(tions are used)2 601 2 900 3691 t
( disks)1 254(Generally, they possess local disks, but these)6 1942 2 900 3801 t
( contain no long-term)3 929(are effectively read-only; they)3 1267 2 900 3911 t
( they are not physically)4 1132( Furthermore,)1 632(user data.)1 432 3 900 4021 t
( or)1 130(secure; someone so inclined could remove, read,)6 2066 2 900 4131 t
(alter any portion of the disk without hindrance.)7 1937 1 900 4241 t
( the primary need is for)5 984(Within this environment)2 996 2 1116 4384 t
( is, when a user)4 730( That)1 269(user-to-server authentication.)1 1197 3 900 4494 t
( needs access)2 565(sits down at a workstation, that person)6 1631 2 900 4604 t
( workstation)1 507( The)1 223(to private \256les residing on a server.)6 1466 3 900 4714 t
( no need to)3 522(itself has no such \256les, and hence has)7 1674 2 900 4824 t
(contact the server or even to identify itself.)7 1769 1 900 4934 t
( in marked contrast to a typical)6 1429(This is)1 301 2 1116 5077 t
8 R f
(UNIX)2896 5077 w
10 R f
( have)1 231( systems do)2 505( Such)1 277(system's view of the world.)4 1183 4 900 5187 t
( network)1 362( Assorted)1 423( own \256les.)2 434(an identity, and they do)4 977 4 900 5297 t
(daemons transfer \256les in the background, clock dae-)7 2196 1 900 5407 t
(mons perform management functions, electronic mail)5 2196 1 900 5517 t
( a machine relied on)4 893( such)1 230( If)1 146(and news arrives, etc.)3 927 4 900 5627 t
( \256les, it would have to assert, and)7 1433(servers to store its)3 763 2 900 5737 t
( these)1 266(possibly prove, an identity when talking to)6 1930 2 900 5847 t
( Project Athena workstations are neither)5 1665(servers. The)1 531 2 900 5957 t
( of such; they in effect function)6 1361(capable nor in need)3 835 2 900 6067 t
( com-)1 254(as very smart terminals with substantial local)6 1942 2 900 6177 t
(puting power, rather than as full computer systems.)7 2106 1 900 6287 t
8 I f
(3)3006 6255 w
10 R f
( Simply)1 385(What does this mean for Kerberos?)5 1595 2 1116 6430 t
( is designed to authenticate the end-)6 1575(this: Kerberos)1 621 2 900 6540 t
( keyboard \320)2 561(user \320 the human being sitting at the)7 1635 2 900 6650 t
( not a peer-to-peer)3 787( is)1 111( It)1 138(to some number of servers.)4 1160 4 900 6760 t
( used by one)3 661(system; it is not intended to be)6 1535 2 900 6870 t
16 R f
1980 6991 900 6991 Dl
8 R f
(3)966 7059 w
9 R f
(We regard this as a feature, not a bug.)8 1426 1 1006 7091 t
10 R f
( com-)1 257(computer's daemons when contacting another)4 1939 2 3384 672 t
( a mode)2 358( to use Kerberos in such)5 1072(puter. Attempting)1 766 3 3384 782 t
(can cause trouble.)2 733 1 3384 892 t
8 I f
(4)4117 860 w
10 R f
( statement for several reasons.)4 1357(We make this)2 623 2 3600 1035 t
(First and foremost, typical computer systems do not)7 2196 1 3384 1145 t
( Kerberos, a plain-)3 769( In)1 150( secure key storage area.)4 1012(have a)1 265 4 3384 1255 t
(text key must be used in the initial dialog to obtain a)11 2196 1 3384 1365 t
( storing plaintext keys in a)5 1113( But)1 213(ticket-granting ticket.)1 870 3 3384 1475 t
( to be a bad idea;)5 719(machine is generally felt)3 1011 2 3384 1585 t
8 R f
([Morr79])5114 1585 w
10 R f
(if a)1 138 1 5442 1585 t
(Kerberos key that a machine uses for itself is)8 2196 1 3384 1695 t
(compromised, the intruder can likely impersonate)5 2196 1 3384 1805 t
( computer, by impersonating requests)4 1537(any user on that)3 659 2 3384 1915 t
( \(i.e., \256le mounts or)4 918(vouched for by that machine)4 1278 2 3384 2025 t
10 CW f
(cron)3384 2135 w
10 R f
(jobs\).)3663 2135 w
8 I f
(5)3888 2103 w
10 R f
(Additionally, the session keys returned)4 1613 1 3967 2135 t
( be stored securely; of necessity,)5 1387(by the TGS cannot)3 809 2 3384 2245 t
( to)1 135(they are stored in some area accessible)6 1731 2 3384 2355 t
10 CW f
(root)5307 2355 w
10 R f
(.)5555 2355 w
( crack the protection)3 994(Thus, if the intruder can)4 1202 2 3384 2465 t
( \320 or, perhaps)3 704(mechanism on the local computer)4 1492 2 3384 2575 t
( for some limited)3 746(more to the point, work around it)6 1450 2 3384 2685 t
( all current session keys can be stolen.)7 1693(purposes \320)1 503 2 3384 2795 t
( a breach of the primary Ker-)6 1210(This is less serious than)4 986 2 3384 2905 t
( limited)1 330(beros key, of course, since session keys are)7 1866 2 3384 3015 t
( and scope; nevertheless, one does not)6 1744(in lifetime)1 452 2 3384 3125 t
(wish these keys exposed.)3 1028 1 3384 3235 t
( multi-user)1 456(This points out a second \257aw when)6 1524 2 3600 3378 t
(computers employ Kerberos, either on their own)6 2196 1 3384 3488 t
( cached keys are acces-)4 984( the)1 194( their users:)2 494(behalf or for)2 524 4 3384 3598 t
( a)1 90( In)1 162( in at the same time.)5 910(sible to attackers logged)3 1034 4 3384 3708 t
( has)1 186(workstation environment, only the current user)5 2010 2 3384 3818 t
( system resources; there is little or no need)8 1823(access to)1 373 2 3384 3928 t
(even to enable remote login to that workstation.)7 2196 1 3384 4038 t
(There are many reasons for this; a consequence,)7 2196 1 3384 4148 t
( the intruder simply cannot approach)5 1582(though, is that)2 614 2 3384 4258 t
( lock.)1 236(the safe door to try to pick its)7 1265 2 3384 4368 t
8 I f
(6)4885 4336 w
10 R f
(Only when the)2 616 1 4964 4368 t
(legitimate user leaves can the attacker attempt to \256nd)8 2196 1 3384 4478 t
( no longer available; Ker-)4 1077( the keys are)3 537( But)1 215(the keys.)1 367 4 3384 4588 t
( at logoff time,)3 654(beros attempts to wipe out old keys)6 1542 2 3384 4698 t
( With)1 274( through the debris.)3 825(leaving the attacker to sift)4 1097 3 3384 4808 t
( other hand, an attacker)4 973(a multi-user computer, on the)4 1223 2 3384 4918 t
(has concurrent access to the keys if there are \257aws in)10 2196 1 3384 5028 t
(the host's security.)2 768 1 3384 5138 t
( Kerberos)1 420(There are two other minor \257aws in)6 1560 2 3600 5281 t
( there)1 243( First,)1 286( to the environment.)3 862(directly attributable)1 805 4 3384 5391 t
( where keys should be cached.)5 1258(is some question about)3 938 2 3384 5501 t
( Project Athena machines have local)5 1540(Since all of the)3 656 2 3384 5611 t
(disks, the original code used)4 1283 1 3384 5721 t
10 CW f
(/tmp)4729 5721 w
10 R f
( this is)2 338(. But)1 265 2 4977 5721 t
( diskless workstations, where)3 1342(highly insecure on)2 854 2 3384 5831 t
10 CW f
(/tmp)3384 5941 w
10 R f
( a)1 137(exists on a \256le server; accordingly,)5 1727 2 3716 5941 t
( made to store keys in shared)6 1459(modi\256cation was)1 737 2 3384 6051 t
( there is no guarantee that shared)6 1379(memory. However,)1 817 2 3384 6161 t
( not paged; if this entails network traf\256c,)7 1752(memory is)1 444 2 3384 6271 t
16 R f
4464 6391 3384 6391 Dl
8 R f
(4)3450 6459 w
9 R f
( not a)2 227(More precisely, Kerberos is)3 1038 2 3490 6491 t
9 I f
(host-to-host)4791 6491 w
9 R f
(protocol.)5257 6491 w
(In Version 5, it has been extended to support user-to-user)9 2196 1 3384 6591 t
(authentication.)3384 6691 w
7 R f
([Davi90])3917 6691 w
8 R f
(5)3450 6759 w
9 R f
( assuming here that the machine \320)6 1387(Recall that we are)3 703 2 3490 6791 t
(and hence its superuser \320 needs an identity of its own.)10 2063 1 3384 6891 t
8 R f
(6)3450 6959 w
9 R f
( most)1 228(On Project Athena machines, remote access to)6 1862 2 3490 6991 t
(workstations is in fact disabled.)4 1168 1 3384 7091 t
10 B f
(USENIX)900 7450 w
10 S1 f
(\261)1311 7450 w
10 B f
(Winter '91)1 471 1 1409 7450 t
10 S1 f
(\261)1913 7450 w
10 B f
( 3)1 3105(Dallas, TX)1 464 2 2011 7450 t
cleartomark
showpage
restore
%%EndPage: 3 3
%%Page: 4 4
save
mark
4 pagesetup
10 B f
( & Merritt)2 469( Bellovin)1 3284(Kerberos Limitations)1 927 3 540 322 t
10 R f
(an intruder can capture these keys.)5 1419 1 540 672 t
( to)1 128(Finally, the Kerberos protocol binds tickets)5 1852 2 756 815 t
( on)1 170( usage is problematic on)4 1155( Such)1 304(IP addresses.)1 567 4 540 925 t
( than one IP)3 519(multi-homed hosts \(i.e., hosts with more)5 1677 2 540 1035 t
( multiple)1 397( workstations rarely have)3 1123(address\). Since)1 676 3 540 1145 t
( enhance secu-)2 626(addresses, this feature \320 intended to)5 1570 2 540 1255 t
( hosts)1 245( Multi-user)1 494( at MIT.)2 358(rity \320 was not a problem)5 1099 4 540 1365 t
( have multiple addresses, however, and can-)6 1852(often do)1 344 2 540 1475 t
( problem has been)3 771( This)1 250( limitation.)1 454(not live with this)3 721 4 540 1585 t
(\256xed in Version 5.)3 768 1 540 1695 t
10 B f
(PROTOCOL WEAKNESSES)1 1297 1 989 1887 t
(Replay Attacks)1 660 1 540 2052 t
10 R f
( not as resistant to)4 874(The Kerberos protocol is)3 1106 2 756 2189 t
( number of weaknesses)3 952( A)1 138(penetration as it should be.)4 1106 3 540 2299 t
( of an authen-)3 578(are apparent; the most serious is its use)7 1618 2 540 2409 t
(ticator to prevent replay attacks.)4 1315 1 540 2519 t
( of a timestamp)3 679(The authenticator relies on use)4 1301 2 756 2662 t
( problematic for)2 735( is)1 139( This)1 283(to guard against reuse.)3 1039 4 540 2772 t
( claim is made that no replays)6 1313( The)1 233(several reasons.)1 650 3 540 2882 t
( the authenticator)2 765(are likely within the lifetime of)5 1431 2 540 2992 t
( the)1 177( is reinforced by)3 738( This)1 265(\(typically \256ve minutes\).)2 1016 4 540 3102 t
( the)1 160(presence of the IP address in both the ticket and)9 2036 2 540 3212 t
( are not persuaded by this logic.)6 1429(authenticator. We)1 767 2 540 3322 t
( a ticket and)3 515(An intruder would not start by capturing)6 1681 2 540 3432 t
( then develop the software to use)6 1458(authenticator, and)1 738 2 540 3542 t
( in place before the)4 800(them; rather, everything would be)4 1396 2 540 3652 t
( two)1 206( us consider)2 537( Let)1 221(ticket-capture was attempted.)2 1232 4 540 3762 t
(examples.)540 3872 w
( described an attack)3 909(Some years ago, Morris)3 1071 2 756 4015 t
( increment rate of the initial)5 1342(based on the slow)3 854 2 540 4125 t
( counter in some TCP)4 1376(sequence number)1 820 2 540 4235 t
(implementations.)540 4345 w
8 R f
([Morr85])1232 4345 w
10 R f
( was)1 193(He demonstrated that it)3 977 2 1566 4345 t
( certain circumstances, to spoof one)5 1565(possible, under)1 631 2 540 4455 t
( TCP connection without)3 1090(half of a preauthenticated)3 1106 2 540 4565 t
( In)1 153( from the targeted host.)4 977(ever seeing any responses)3 1066 3 540 4675 t
( his attack would still work)5 1171(a Kerberos environment,)2 1025 2 540 4785 t
( but not)2 326(if accompanied by a stolen live authenticator,)6 1870 2 540 4895 t
( Alterna-)1 410( challenge/response protocol was used.)4 1635(if a)1 151 3 540 5005 t
( simply watch for a ``mail-)5 1208(tively, an intruder may)3 988 2 540 5115 t
( a user logs in brie\257y,)5 1021(checking'' session, wherein)2 1175 2 540 5225 t
( number of)2 486( A)1 153(reads a few messages, and logs out.)6 1557 3 540 5335 t
( such a session,)3 646(valuable tickets would be exposed by)5 1550 2 540 5445 t
( home direc-)2 522(notably the one used to mount the user's)7 1674 2 540 5555 t
( \320)1 141( that the lifetime of the authenticators)6 1600(tory. Note)1 455 3 540 5665 t
(5 minutes \320 contributes considerably to this attack.)7 2138 1 540 5775 t
( proposed Version 5 of Kerberos)5 1480(Further, the)1 500 2 756 5918 t
(anticipates alternative communication protocols in)4 2196 1 540 6028 t
( If)1 143( implement.)1 497(which such replays may be trivial to)6 1556 3 540 6138 t
( general-purpose)1 697(Kerberos is to be considered as a)6 1499 2 540 6248 t
( security-critical assump-)2 1079(utility, it must make few)4 1117 2 540 6358 t
(tions about the underlying network, and those must)7 2196 1 540 6468 t
(be explicit.)1 452 1 540 6578 t
( that the proper defense is)5 1093(It has been suggested)3 887 2 756 6721 t
( all live authenticators; thus, an)5 1299(for the server to store)4 897 2 540 6831 t
(attempt to reuse one can be detected.)6 1591 1 540 6941 t
8 R f
([Stei88])2131 6941 w
10 R f
(In fact,)1 303 1 2433 6941 t
( such)1 272(the original design of Kerberos required)5 1924 2 540 7051 t
( \(While)1 345(caching, though this was never implemented.)5 1851 2 3024 672 t
( rather than of)3 598(that is a feature of the implementation)6 1598 2 3024 782 t
(the protocol itself, a security feature is not very use-)9 2196 1 3024 892 t
(ful if it is too hard to implement.\))7 1395 1 3024 1002 t
(For several reasons, we do not think that cach-)8 1980 1 3240 1145 t
( on)1 140( First,)1 282(ing solves the problem.)3 981 3 3024 1255 t
8 R f
(UNIX)4460 1255 w
10 R f
(systems it is)2 520 1 4700 1255 t
(dif\256cult for TCP-based)2 1075 1 3024 1365 t
8 R f
([Post81])4099 1365 w
10 R f
(servers to store)2 752 1 4468 1365 t
( generally operate by forking)4 1234(authenticators. Servers)1 962 2 3024 1475 t
( incoming request.)2 781(a separate process to handle each)5 1415 2 3024 1585 t
( memory with)2 601(The child processes do not share any)6 1595 2 3024 1695 t
( convenient way)2 680(the parent process, and thus have no)6 1516 2 3024 1805 t
( and hence any other child servers \320)7 1573(to inform it \320)3 623 2 3024 1915 t
( are a)2 257( There)1 311( the authenticator used.)3 989(of the value of)3 639 4 3024 2025 t
( solutions \320 pipes, authenticator)4 1399(number of obvious)2 797 2 3024 2135 t
(servers, shared memory segments and the like \320 but)8 2196 1 3024 2245 t
( awkward, and some even raise authentication)6 1933(all are)1 263 2 3024 2355 t
( we know of no)4 745( date,)1 246( To)1 199(questions of their own.)3 1006 4 3024 2465 t
(multi-threaded server implementation which caches)4 2196 1 3024 2575 t
(authenticators.)3024 2685 w
(UDP-based)3240 2828 w
8 R f
([Post80])3700 2828 w
10 R f
( store the)2 432(query servers can)2 761 2 4027 2828 t
( as a single process gen-)5 1077(authenticators more easily,)2 1119 2 3024 2938 t
( requests; however, they)3 1042(erally handles all incoming)3 1154 2 3024 3048 t
( with legitimate retransmissions)3 1320(might have problems)2 876 2 3024 3158 t
( \(UDP)1 306( lost.)1 210(of the client's request if the answer was)7 1680 3 3024 3268 t
( thus, all)2 456(does not provide guaranteed delivery;)4 1740 2 3024 3378 t
(retransmissions happen from application level, and)5 2196 1 3024 3488 t
( requests)1 379( Legitimate)1 518( to the application.\))3 858(are visible)1 441 4 3024 3598 t
( and a security alarm raised inap-)6 1450(could be rejected,)2 746 2 3024 3708 t
( possible solution would be for the)6 1491(propriately. One)1 705 2 3024 3818 t
(application to generate a new authenticator when)6 2196 1 3024 3928 t
( other)1 261(retransmitting a request; were it not for the)7 1935 2 3024 4038 t
( authenticator scheme, this would)4 1432(weaknesses of the)2 764 2 3024 4148 t
(be acceptable.)1 572 1 3024 4258 t
10 B f
(Secure Time Services)2 925 1 3024 4505 t
10 R f
( on machines')2 670(As noted, authenticators rely)3 1310 2 3240 4642 t
( host can be)3 513( a)1 83( If)1 138(clocks being roughly synchronized.)3 1462 4 3024 4752 t
( authenticator)1 573(misled about the correct time, a stale)6 1623 2 3024 4862 t
( Since)1 309( trouble at all.)3 642(can be replayed without any)4 1245 3 3024 4972 t
(some time synchronization protocols are)4 2196 1 3024 5082 t
(unauthenticated,)3024 5192 w
8 R f
([Post83, Mill88])1 534 1 3681 5192 t
10 R f
(and hosts are still using)4 971 1 4249 5192 t
( despite the existence of better)5 1531(these protocols)1 665 2 3024 5302 t
(ones,)3024 5412 w
8 R f
([Mill89])3232 5412 w
10 R f
(such attacks are not dif\256cult.)4 1183 1 3534 5412 t
( authenti-)1 398(The design philosophy of building an)5 1582 2 3240 5555 t
( a secure time service is itself)6 1223(cation service on top of)4 973 2 3024 5665 t
( not make sense to)4 886( is, it may)3 503(questionable. That)1 807 3 3024 5775 t
( system assuming an already-)4 1244(build an authentication)2 952 2 3024 5885 t
( while)1 260( Furthermore,)1 594(authenticated underlying system.)2 1342 3 3024 5995 t
( be a)2 238(spoo\256ng an unauthenticated time service may)5 1958 2 3024 6105 t
( cryptographi-)1 603(dif\256cult programming task, it is not)5 1593 2 3024 6215 t
(cally dif\256cult.)1 610 1 3024 6325 t
8 I f
(7)3634 6293 w
10 R f
(Using time-based protocols in a)4 1471 1 3749 6325 t
( these)1 278(secure fashion means thinking through all)5 1918 2 3024 6435 t
( making the appropriate)3 1227(issues carefully and)2 969 2 3024 6545 t
16 R f
4104 6691 3024 6691 Dl
8 R f
(7)3090 6759 w
9 R f
( even neces-)2 472(In some environments, programming is not)5 1618 2 3130 6791 t
( fake WWV transmitters are not hard)6 1446(sary. Low-powered)1 750 2 3024 6891 t
( out)1 160(to build, and, if properly located, could easily block)8 2036 2 3024 6991 t
(the legitimate signal.)2 768 1 3024 7091 t
10 B f
(4 USENIX)1 3483 1 540 7450 t
10 S1 f
(\261)4056 7450 w
10 B f
(Winter '91)1 471 1 4154 7450 t
10 S1 f
(\261)4658 7450 w
10 B f
(Dallas, TX)1 464 1 4756 7450 t
cleartomark
showpage
restore
%%EndPage: 4 4
%%Page: 5 5
save
mark
5 pagesetup
10 B f
( Limitations)1 528( Kerberos)1 3332(Bellovin & Merritt)2 820 3 900 322 t
10 R f
( As)1 188(synchronization an explicit part of the protocol.)6 2008 2 900 672 t
( proposed for more varied environments,)5 1720(Kerberos is)1 476 2 900 782 t
( secure time service becomes)4 1307(its dependence on a)3 889 2 900 892 t
(more problematic and must be stressed.)5 1621 1 900 1002 t
( use of a)3 455(As an alternative, we propose the)5 1525 2 1116 1145 t
( is)1 112( As)1 189(challenge/response authentication mechanism.)2 1895 3 900 1255 t
(done today, the client would present a ticket, though)8 2196 1 900 1365 t
( server would respond)3 935( The)1 230( authenticator.)1 588(without an)1 443 4 900 1475 t
( session)1 346(with a nonce identi\256er encrypted with the)6 1850 2 900 1585 t
(key)900 1695 w
10 I f
(K)1087 1695 w
7 I f
(c)1165 1715 w
7 R f
(,)1201 1715 w
7 I f
(s)1224 1715 w
10 R f
( func-)1 252(; the client would respond with some)6 1585 2 1259 1695 t
( proving that it)3 778(tion of that identi\256er, thereby)4 1418 2 900 1805 t
(possesses the session key.)3 1062 1 900 1915 t
( implementation is not without its costs,)6 1653(Such an)1 327 2 1116 2058 t
( extra pair of messages must be)6 1529( An)1 227(of course.)1 440 3 900 2168 t
( ticket is used, which rules out)6 1267(exchanged each time a)3 929 2 900 2278 t
( More)1 320( authenticated datagrams.)2 1109(the possibility of)2 767 3 900 2388 t
(seriously, all servers must then retain state to com-)8 2196 1 900 2498 t
( not a prob-)3 526( While)1 323(plete the authentication process.)3 1347 3 900 2608 t
( require substan-)2 687(lem for TCP-based servers, this may)5 1509 2 900 2718 t
( \(The)1 265(tial modi\256cation to UDP-based query servers.)5 1931 2 900 2828 t
( managing outstanding challenges may)4 1622(complexity of)1 574 2 900 2938 t
( live authenti-)2 583(be comparable to that needed to cache)6 1613 2 900 3048 t
( between a stateful and a)5 1028(cators \320 the trade-off is not)5 1168 2 900 3158 t
(stateless protocol, but in managing two kinds of)7 2196 1 900 3268 t
(state.\))900 3378 w
( difference)1 465(There is a sign\256cant philosophical)4 1515 2 1116 3521 t
( the current)2 476( In)1 152(between the two techniques, however.)4 1568 3 900 3631 t
( its assumptions about)3 926(Kerberos implementation, with)2 1270 2 900 3741 t
(the network environment, retained state is only)6 2196 1 900 3851 t
( The)1 407(necessary to enhance security.)3 1789 2 900 3961 t
( the other hand,)3 825(challenge/response scheme, on)2 1371 2 900 4071 t
( a more general environment,)4 1276(guarantees security in)2 920 2 900 4181 t
(but requires retained state to function at all.)7 1792 1 900 4291 t
( challenge/response)1 887(Instead of substituting)2 1093 2 1116 4434 t
( to extend the)3 607(throughout, a possible compromise is)4 1589 2 900 4544 t
( This)1 289(protocol with a challenge/response option.)4 1907 2 900 4654 t
( authenticate)1 535(option could be used, for example, to)6 1661 2 900 4764 t
( exchange)1 418(the user in the initial ticket-granting ticket)6 1778 2 900 4874 t
(and to access a time service.)5 1315 1 900 4984 t
8 I f
(8)2215 4952 w
10 R f
(Subsequent client-)1 779 1 2317 4984 t
( use the current time-based)4 1167(server interactions could)2 1029 2 900 5094 t
( synchronizing the servers remains a)5 1605(protocol. But)1 591 2 900 5204 t
( will lead to denial)4 812(problem; not synchronizing them)3 1384 2 900 5314 t
( access the time service as a)6 1245(of service, and if they)4 951 2 900 5424 t
( must somehow obtain and store a ticket)7 1733(client, they)1 463 2 900 5534 t
( storing)1 334( above on)2 448( \(See)1 265(and key to authenticate it.)4 1149 4 900 5644 t
( pos-)1 212( these complexities and)3 983( Given)1 318(keys in servers.\))2 683 4 900 5754 t
(sible weaknesses, it would seem reasonable to allow)7 2196 1 900 5864 t
( to insist on the challenge/response)5 1686(any service)1 510 2 900 5974 t
(option.)900 6084 w
( that the security of)4 811(Summarizing, we emphasize)2 1169 2 1116 6227 t
( on synchronized clocks.)3 1053(Kerberos depends critically)2 1143 2 900 6337 t
( the Kerberos protocols involve mutual)5 1727(In essence,)1 469 2 900 6447 t
(trust among four parties: the client, server, authenti-)7 2196 1 900 6557 t
(cation server and time server.)4 1209 1 900 6667 t
16 R f
1980 6991 900 6991 Dl
8 R f
(8)966 7059 w
9 R f
(This was suggested to us by Clifford Neuman.)7 1723 1 1006 7091 t
10 B f
(Password-Guessing Attacks)1 1194 1 3384 672 t
10 R f
(A second major class of attack on the Kerberos)8 1980 1 3600 809 t
(protocols involves an intruder recording login dialogs)6 2196 1 3384 919 t
( to mount a password-guessing assault.)5 1830(in order)1 366 2 3384 1029 t
(When a user requests)3 1006 1 3384 1139 t
10 I f
(T)4467 1139 w
7 I f
(c)4534 1159 w
7 R f
(,)4570 1159 w
7 I f
(tgs)4593 1159 w
10 R f
(\(the ticket-granting)1 820 1 4760 1139 t
( encrypted with)2 661(ticket\), the answer is returned)4 1259 2 3384 1249 t
10 I f
(K)5349 1249 w
7 I f
(c)5427 1269 w
10 R f
(, a)1 114 1 5466 1249 t
( from the)2 392(key derived by a publicly-known algorithm)5 1804 2 3384 1359 t
( password can)2 587( guess at the user's)4 794( A)1 140(user's password.)1 675 4 3384 1469 t
(be con\256rmed by calculating)3 1244 1 3384 1579 t
10 I f
(K)4696 1579 w
7 I f
(c)4774 1599 w
10 R f
(and using it to)3 699 1 4881 1579 t
( has)1 183( intruder who)2 586( An)1 204(decrypt the recorded answer.)3 1223 4 3384 1689 t
( of)1 125(recorded many such login dialogs has good odds)7 2071 2 3384 1799 t
( do)1 140(\256nding several new passwords; empirically, users)5 2056 2 3384 1909 t
(not pick good passwords unless forced to.)6 1907 1 3384 2019 t
8 R f
([Morr79,)5291 2019 w
(Gram84, Stol88])1 542 1 3384 2129 t
10 R f
( exponential key)2 804(We propose the use of)4 1176 2 3600 2272 t
(exchange)3384 2382 w
8 R f
([Diff76])3760 2382 w
10 R f
(to provide an additional layer of)5 1489 1 4091 2382 t
( the algorithm in)3 817( describing)1 491(encryption. Without)1 888 3 3384 2492 t
( parties exchanging)2 910(detail, it involves the two)4 1286 2 3384 2602 t
( compute a secret key.)4 961(numbers that each can use to)5 1235 2 3384 2712 t
( numbers were cal-)3 785(An outsider, not knowing how the)5 1411 2 3384 2822 t
(culated, cannot easily derive the key.)5 1517 1 3384 2932 t
( exponential key exchange would)4 1400(Such a use of)3 580 2 3600 3075 t
( from accumulating the)3 992(prevent a passive wiretapper)3 1204 2 3384 3185 t
(network equivalent of)2 1026 1 3384 3295 t
10 CW f
(/etc/passwd)4510 3295 w
10 R f
(. While)1 402 1 5178 3295 t
( exchange is normally vulnerable to)5 1538(exponential key)1 658 2 3384 3405 t
(active wiretaps, such attacks are comparatively rare,)6 2196 1 3384 3515 t
(especially if dedicated network routers are used.)6 1973 1 3384 3625 t
( \320 exponential key)3 836(Apart from licensing issues)3 1144 2 3600 3768 t
( by a U.S. patent \320 using it)7 1282(exchange is protected)2 914 2 3384 3878 t
( Odlyzko)1 402( and)1 201( LaMacchia)1 538(has its costs.)2 567 4 3384 3988 t
8 R f
([LaMa])5092 3988 w
10 R f
(have)5392 3988 w
( is quite)2 339(demonstrated that exchanging small numbers)4 1857 2 3384 4098 t
( ones is expensive in com-)5 1102(insecure, while using large)3 1094 2 3384 4208 t
( we have added extra)4 981( Additionally,)1 624(putation time.)1 591 3 3384 4318 t
( the)1 199(messages to the login dialog, and imposed)6 1997 2 3384 4428 t
( server.)1 302(requirement for considerable extra state in the)6 1894 2 3384 4538 t
( pass-)1 244(Given the trend towards hiding even encrypted)6 1952 2 3384 4648 t
(words on)1 379 1 3384 4758 t
8 R f
(UNIX)3791 4758 w
10 R f
(systems, and given estimates that half)5 1555 1 4025 4758 t
( within a two-week)3 867(of all logins at MIT are used)6 1329 2 3384 4868 t
( Perhaps)1 402( may be justi\256able.)3 845(period, the investment)2 949 3 3384 4978 t
( feature as a)3 604(the best solution is to support this)6 1592 2 3384 5088 t
(domain-speci\256c option.)1 952 1 3384 5198 t
( not prevent)2 497(Even exponential key exchange will)4 1483 2 3600 5341 t
( on how)2 388( Depending)1 529( attacks.)1 360(all password-guessing)1 919 4 3384 5451 t
( logs are analyzed, an intruder)5 1277(carefully the Kerberos)2 919 2 3384 5561 t
( for tickets are)3 657( Requests)1 447(need not even eavesdrop.)3 1092 3 3384 5671 t
( encrypted; an attacker could simply)5 1575(not themselves)1 621 2 3384 5781 t
( many different)2 715(request ticket-granting tickets for)3 1481 2 3384 5891 t
( to limit the)3 552( enhancement to the server,)4 1206(users. An)1 438 3 3384 6001 t
(rate of requests from a single source, may be useful.)9 2153 1 3384 6111 t
( the initial ticket)3 713(Alternatively, some portion of)3 1267 2 3600 6254 t
(request may be encrypted with)4 1409 1 3384 6364 t
10 I f
(K)4864 6364 w
7 I f
(c)4942 6384 w
10 R f
( a)1 114(, providing)1 485 2 4981 6364 t
( such)1 223(minimal authentication of the user to Kerberos,)6 1973 2 3384 6474 t
( to mount)2 418(that true eavesdropping would be required)5 1778 2 3384 6584 t
( we are preparing this manuscript,)5 1503( \(As)1 231(this attack.)1 462 3 3384 6694 t
(just such a suggestion is being hotly debated on the)9 2196 1 3384 6804 t
( originally overlooked an)3 1070( We)1 217(Kerberos mailing list.)2 909 3 3384 6914 t
( password-guessing)1 797(alternative avenue for mounting a)4 1399 2 3384 7024 t
( services, and)2 636( may be treated as)4 908(attack. Clients)1 652 3 3384 7134 t
10 B f
(USENIX)900 7450 w
10 S1 f
(\261)1311 7450 w
10 B f
(Winter '91)1 471 1 1409 7450 t
10 S1 f
(\261)1913 7450 w
10 B f
( 5)1 3105(Dallas, TX)1 464 2 2011 7450 t
cleartomark
showpage
restore
%%EndPage: 5 5
%%Page: 6 6
save
mark
6 pagesetup
10 B f
( & Merritt)2 469( Bellovin)1 3284(Kerberos Limitations)1 927 3 540 322 t
10 R f
( encrypted by)2 639(tickets to the client,)3 930 2 540 672 t
10 I f
(K)2182 672 w
7 I f
(c)2260 692 w
10 R f
(, may be)2 437 1 2299 672 t
( capability has been sug-)4 1047( This)1 251( any user.)2 415(obtained by)1 483 4 540 782 t
( for user-to-user authentication and)4 1434(gested as the basis)3 762 2 540 892 t
( services.)1 417(and enhanced mail)2 838 2 540 1002 t
8 R f
([Salt90])1795 1002 w
10 R f
(But any such)2 614 1 2122 1002 t
( repeated re-entry of)3 882(scheme would seem to require)4 1314 2 540 1112 t
(the user's password, an inconvenience we suspect)6 2196 1 540 1222 t
( would prefer to provide)4 1070( We)1 221(will not be tolerated.)3 905 3 540 1332 t
(the same functionality by having clients register)6 2196 1 540 1442 t
( as services, with truly random)5 1436(separate instances)1 760 2 540 1552 t
( the)1 173( could be supplied to the client by)7 1527(keys. Keys)1 496 3 540 1662 t
10 I f
(keystore)540 1772 w
10 R f
(, described below.\))2 775 1 872 1772 t
(An alternative approach is a protocol described)6 1980 1 756 1915 t
( Gong, Saltzer, and Needham.)4 1404(by Lomas,)1 474 2 540 2025 t
8 R f
([Loma89])2418 2025 w
10 R f
( with a server that does not)6 1250(They present a dialog)3 946 2 540 2135 t
( How-)1 298( password-guessing attacks.)2 1138(expose the user to)3 760 3 540 2245 t
( public-key cryptogra-)2 952(ever, their protocol relies on)4 1244 2 540 2355 t
(phy, an approach explicitly rejected for Kerberos.)6 2031 1 540 2465 t
10 B f
(Spoo\256ng Login)1 658 1 540 2712 t
10 R f
( quite simple)2 543(In a workstation environment, it is)5 1437 2 756 2849 t
(for an intruder to replace the)5 1208 1 540 2959 t
10 CW f
(login)1787 2959 w
10 R f
(command with)1 610 1 2126 2959 t
( users' passwords before)3 1163(a version that records)3 1033 2 540 3069 t
( an)1 151( Such)1 290( the Kerberos dialog.)3 933(employing them in)2 822 4 540 3179 t
( advantages,)1 504(attack negates one of Kerberos's primary)5 1692 2 540 3289 t
( never transmitted in cleartext over)5 1439(that passwords are)2 757 2 540 3399 t
( to)1 129( this problem is not restricted)5 1294( While)1 327(a network.)1 446 4 540 3509 t
( Kerberos protocol makes)3 1064(Kerberos environments, the)2 1132 2 540 3619 t
( standard countermeasure:)2 1107(it dif\256cult to employ the)4 1089 2 540 3729 t
(one-time passwords.)1 829 1 540 3839 t
(A typical one-time password scheme employs a)6 1980 1 756 3982 t
( some device)2 551(secret key shared between a server and)6 1645 2 540 4092 t
( a random)2 429( server picks)2 532( The)1 227(in the user's possession.)3 1008 4 540 4202 t
( the server)2 439( Both)1 266(number and transmits it to the user.)6 1491 3 540 4312 t
( the aid of the device\) encrypt this)7 1445(and the user \(with)3 751 2 540 4422 t
( transmitted)1 485(number using the secret key; the result is)7 1711 2 540 4532 t
( the two computed values)4 1181( If)1 164(back to the server.)3 851 3 540 4642 t
( is assumed to possess the appropriate)6 1569(match, the user)2 627 2 540 4752 t
(key.)540 4862 w
( no provision for such a)5 1271(Kerberos makes)1 709 2 756 5005 t
( server's)1 348( The)1 222(challenge/response dialog at login time.)4 1626 3 540 5115 t
( is always encrypted)3 917(response to the login request)4 1279 2 540 5225 t
(with)540 5335 w
10 I f
(K)773 5335 w
7 I f
(c)851 5355 w
10 R f
(, a key derived from the user's password.)7 1846 1 890 5335 t
( understands)1 516(Unless a ``smart card'' is employed that)6 1680 2 540 5445 t
( any use)2 367(the entire Kerberos protocol, this precludes)5 1829 2 540 5555 t
(of one-time passwords.)2 945 1 540 5665 t
( suggested to us by T.H.)5 1134(An alternative \(\256rst)2 846 2 756 5808 t
( a random)2 475(Foregger\) requires that the server pick)5 1721 2 540 5918 t
(number)540 6028 w
10 I f
(R)902 6028 w
10 R f
(, and use)2 418 1 963 6028 t
10 I f
(K)1439 6028 w
7 I f
(c)1517 6048 w
10 R f
(to encrypt)1 435 1 1614 6028 t
10 I f
(R)2107 6028 w
10 R f
( value)1 274(. This)1 294 2 2168 6028 t
10 S f
({)540 6138 w
10 I f
(R)596 6138 w
10 S f
(})665 6138 w
10 I f
(K)721 6138 w
7 I f
(c)799 6158 w
10 R f
(, rather than)2 497 1 838 6138 t
10 I f
(K)1369 6138 w
7 I f
(c)1447 6158 w
10 R f
( be used to encrypt the)5 941(, would)1 309 2 1486 6138 t
(server's response.)1 748 1 540 6248 t
10 I f
(R)1381 6248 w
10 R f
(would be transmitted in the)4 1234 1 1502 6248 t
( a hand-held authenticator was in)5 1372( If)1 134( the user.)2 383(clear to)1 307 4 540 6358 t
( calculate)1 403(use, the user would employ it to)6 1418 2 540 6468 t
10 S f
({)2410 6468 w
10 I f
(R)2466 6468 w
10 S f
(})2535 6468 w
10 I f
(K)2591 6468 w
7 I f
(c)2669 6488 w
10 R f
(;)2708 6468 w
( do it automatic-)3 703(otherwise, the login program would)4 1493 2 540 6578 t
(ally.)540 6688 w
( raised to this)3 734(Several objections may be)3 1246 2 756 6831 t
( hand-held authenticators are often)4 1561(scheme. First,)1 635 2 540 6941 t
( is true; however,)3 768( This)1 261( inconvenient.)1 591(thought to be)2 576 4 540 7051 t
( in high-)2 375(they offer a substantial increase in security)6 1821 2 3024 672 t
( they are not used, the cost of)7 1233( If)1 133(threat environments.)1 830 3 3024 782 t
( encryption)1 461(our scheme is quite low, simply one extra)7 1735 2 3024 892 t
(on each end.)2 517 1 3024 1002 t
( if the)2 269(A second, more cogent, objection is that)6 1711 2 3240 1145 t
( be trusted with a user's)5 1066(client's workstation cannot)2 1130 2 3024 1255 t
( keys pro-)2 423(password, it cannot be trusted with session)6 1773 2 3024 1365 t
( is, to some extent, a valid)6 1146( This)1 253( Kerberos.)1 432(vided by)1 365 4 3024 1475 t
( compromise of the)3 825(criticism, though we believe that)4 1371 2 3024 1585 t
( more serious than the cap-)5 1183(login password is much)3 1013 2 3024 1695 t
( This)1 301( limited-lifetime session keys.)3 1296(ture of a few)3 599 3 3024 1805 t
( without the use of)4 984(problem cannot be solved)3 1212 2 3024 1915 t
( a subject we shall return)5 1125(special-purpose hardware,)1 1071 2 3024 2025 t
(to below.)1 380 1 3024 2135 t
( has been pointed out that a user can)8 1575(Finally, it)1 405 2 3240 2278 t
( or boot)2 365(always supply a known-clean boot device,)5 1831 2 3024 2388 t
( former we regard as improb-)5 1276( The)1 234(via the network.)2 686 3 3024 2498 t
( practice unless removable media are)5 1851(able in)1 345 2 3024 2608 t
( the boot pro-)3 568(employed; the latter is insecure because)5 1628 2 3024 2718 t
(tocols are unauthenticated.)2 1083 1 3024 2828 t
10 B f
(Inter-Session Chosen Plaintext Attacks)3 1687 1 3024 3075 t
10 R f
( description in the Version 5)5 1415(According to the)2 781 2 3024 3212 t
(draft,)3024 3322 w
8 R f
([Kohl89])3237 3322 w
10 R f
(servers using the KRB)3 926 1 3563 3322 t
10 S f
(_)4489 3322 w
10 R f
(PRIV format are)2 681 1 4539 3322 t
( a)1 85(susceptible to)1 562 2 3024 3432 t
10 I f
(chosen plaintext attack)2 953 1 3712 3432 t
10 R f
( chosen-)1 351(. \(A)1 204 2 4665 3432 t
(plaintext attack is one where an attacker may choose)8 2196 1 3024 3542 t
(all or part of the plaintext and, typically, use the)9 2196 1 3024 3652 t
( we)1 165( Here)1 275( text to attack the cipher.)5 1107(resulting cipher)1 649 4 3024 3762 t
( cipher text to attack the protocol. Mail and)8 1896(use the)1 300 2 3024 3872 t
( examples of servers susceptible to)5 1549(\256le servers are)2 647 2 3024 3982 t
( encrypted portion of)3 897( the)1 165( Speci\256cally,)1 573(such attacks.\))1 561 4 3024 4092 t
(messages of this type have the form)6 1479 1 3024 4202 t
10 I f
(X)2986 4356 w
10 S f
(=)3071 4356 w
10 R f
(\()3142 4356 w
10 I f
(DATA)3183 4356 w
10 R f
(,)3441 4356 w
10 I f
(timestamp)3515 4356 w
10 S f
(+)3950 4356 w
10 I f
(direction)4021 4356 w
10 R f
(,)4390 4356 w
10 I f
(hostaddress)4464 4356 w
10 R f
(,)4950 4356 w
10 I f
(PAD)5024 4356 w
10 R f
(\))5226 4356 w
(Since cipher-block chaining)2 1202 1 3024 4510 t
8 R f
([FIPS81, Davi89])1 607 1 4226 4510 t
10 R f
(has the)1 321 1 4899 4510 t
( of encryptions are encryptions)4 1308(property that pre\256xes)2 888 2 3024 4620 t
(of pre\256xes, if)2 551 1 3024 4730 t
10 I f
(DATA)3608 4730 w
10 R f
(has the form)2 515 1 3891 4730 t
(\()3052 4884 w
10 I f
(AUTHENTICATOR)3093 4884 w
10 R f
(,)3896 4884 w
10 I f
(CHECKSUM)3970 4884 w
10 R f
(,)4517 4884 w
10 I f
(REMAINDER)4591 4884 w
10 R f
(\))5159 4884 w
(then a pre\256x of the encryption of)6 1392 1 3024 5038 t
10 I f
(X)4454 5038 w
10 R f
(with the session)2 667 1 4553 5038 t
(key is the encryption of)4 975 1 3024 5148 t
(\()3352 5302 w
10 I f
(AUTHENTICATOR)3393 5302 w
10 R f
(,)4196 5302 w
10 I f
(CHECKSUM)4270 5302 w
10 R f
(\) ,)1 74 1 4817 5302 t
( to spoof an entire session with the)7 1511(and can be used)3 685 2 3024 5456 t
(server.)3024 5566 w
( are not sus-)3 527(It may be argued that most servers)6 1453 2 3240 5709 t
( that there)2 419( Given)1 312( plaintext attacks.)2 722(ceptible to chosen)2 743 4 3024 5819 t
( it seems foolish to)4 844(are easy counters to this attack,)5 1352 2 3024 5929 t
( general format for private servers that)6 1738(advocate a)1 458 2 3024 6039 t
(does not also protect against it.)5 1278 1 3024 6149 t
( above)1 279(It should be noted that the simple attack)7 1701 2 3240 6292 t
( which)1 283(does not work against Kerberos Version 4, in)7 1913 2 3024 6402 t
( the KRB)2 414(the encrypted portion of)3 1013 2 3024 6512 t
10 S f
(_)4451 6512 w
10 R f
(PRIV message is)2 719 1 4501 6512 t
(of the form)2 465 1 3024 6622 t
(\()3113 6776 w
10 I f
(length)3154 6776 w
10 R f
(\()3412 6776 w
10 I f
(DATA)3453 6776 w
10 R f
(\) ,)1 74 1 3711 6776 t
10 I f
(DATA)3834 6776 w
10 R f
(,)4092 6776 w
10 I f
(msectime)4166 6776 w
10 R f
(,)4545 6776 w
10 I f
(hostaddress)4619 6776 w
10 R f
(,)5105 6776 w
10 I f
(timestamp)3550 6886 w
10 S f
(+)3985 6886 w
10 I f
(direction)4056 6886 w
10 R f
(,)4425 6886 w
10 I f
(PAD)4499 6886 w
10 R f
(\))4701 6886 w
(as the leading)2 661 1 3024 7040 t
10 I f
(length)3767 7040 w
10 R f
(\()4025 7040 w
10 I f
(DATA)4066 7040 w
10 R f
(\) \256eld disrupts the)3 896 1 4324 7040 t
( the reader to)3 625( leave it to)3 524( We)1 231(pre\256x-based attack.)1 816 4 3024 7150 t
10 B f
(6 USENIX)1 3483 1 540 7450 t
10 S1 f
(\261)4056 7450 w
10 B f
(Winter '91)1 471 1 4154 7450 t
10 S1 f
(\261)4658 7450 w
10 B f
(Dallas, TX)1 464 1 4756 7450 t
cleartomark
showpage
restore
%%EndPage: 6 6
%%Page: 7 7
save
mark
7 pagesetup
10 B f
( Limitations)1 528( Kerberos)1 3332(Bellovin & Merritt)2 820 3 900 322 t
10 R f
( chosen ciphertext attack)3 1019(discover a more complicated)3 1177 2 900 672 t
( even allowing for the fact that)6 1375(against this format,)2 821 2 900 782 t
( PCBC mode of)3 772(Version 4 uses the nonstandard)4 1424 2 900 892 t
( is \256xed)2 353( assume the initial vector)4 1075(encryption. \(Hint:)1 768 3 900 1002 t
( it is interesting to note that)6 1227( However,)1 470(and public.\))1 499 3 900 1112 t
( of message \256elds can)4 1032(the order of concatenation)3 1164 2 900 1222 t
( to this)2 301( return)1 276( We)1 209(have security-critical implications.)2 1410 4 900 1332 t
(question in the later section on message encoding.)7 2059 1 900 1442 t
10 B f
(Exposure of Session Keys)3 1111 1 900 1689 t
10 R f
( misnomer in the Ker-)4 962(The term ``session key'' is a)5 1234 2 900 1826 t
( key is contained in the service)6 1327( This)1 253(beros protocol.)1 616 3 900 1936 t
( sessions between)2 758(ticket and is used in the multiple)6 1438 2 900 2046 t
( it is)2 203( Thus,)1 298( use that ticket.)3 650(the client and server that)4 1045 4 900 2156 t
( Mak-)1 297( called a ``multi-session key''.)4 1309(more properly)1 590 3 900 2266 t
(ing this point explicit leads naturally to the sugges-)8 2196 1 900 2376 t
(tion that true session keys be negotiated as part of)9 2196 1 900 2486 t
( limits the exposure to)4 989( This)1 261( protocol.)1 408(the Kerberos)1 538 4 900 2596 t
(cryptanalysis)900 2706 w
8 R f
([Kahn67, Beke82, Deav85])2 981 1 1427 2706 t
10 R f
( multi-)1 325(of the)1 284 2 2487 2706 t
( the ticket, and precludes)4 1123(session key contained in)3 1073 2 900 2816 t
( substitute messages from one session)5 1628(attacks which)1 568 2 900 2926 t
( chosen-plaintext attack of the previ-)5 1506( \(The)1 254(in another.)1 436 3 900 3036 t
( session key)2 525( The)1 234(ous section is one such example.\))5 1437 3 900 3146 t
( generated by the server or could be com-)8 1832(could be)1 364 2 900 3256 t
( of the multi-)3 639(puted as a session-speci\256c function)4 1557 2 900 3366 t
(session key.)1 491 1 900 3476 t
10 B f
(The Scope of Tickets)3 910 1 900 3723 t
10 R f
(Kerberos tickets are limited in both time and)7 1980 1 1116 3860 t
( is, tickets are usable only within the)7 1677(space. That)1 519 2 900 3970 t
( for a)2 268(realm of the ticket-granting server, and only)6 1928 2 900 4080 t
( \256rst is necessary to the)5 1015( The)1 230(limited period of time.)3 951 3 900 4190 t
( the TGS would not have any)6 1351(design of Kerberos;)2 845 2 900 4300 t
( The)1 233( servers in other realms.)4 1036(keys in common with)3 927 3 900 4410 t
( the longer a ticket is in)6 1040(latter is a security measure;)4 1156 2 900 4520 t
( greater the risk of it being stolen or)8 1839(use, the)1 357 2 900 4630 t
(compromised.)900 4740 w
( on tickets, in Version 4, is)6 1156(A further restriction)2 824 2 1116 4883 t
( user may obtain)3 732( A)1 153( forwarded.)1 482(that they cannot be)3 829 4 900 4993 t
( in to some)3 478(tickets at login time, and use these to log)8 1718 2 900 5103 t
( however, it is not possible to obtain)7 1730(other host;)1 466 2 900 5213 t
( that host unless)3 696(authenticated network services from)3 1500 2 900 5323 t
( that in)2 304( And)1 243( is obtained.)2 512(a new ticket-granting ticket)3 1137 4 900 5433 t
( require transmission of a password across)6 1751(turn would)1 445 2 900 5543 t
(the network, in violation of fundamental principles)6 2196 1 900 5653 t
(of Kerberos's design.)2 872 1 900 5763 t
8 I f
(9)1772 5731 w
10 R f
( provisions for ticket-)3 989(Version 5 incorporates)2 991 2 1116 5906 t
(forwarding; however, this introduces the problem of)6 2196 1 900 6016 t
( is, a host)3 420( That)1 255(cascading trust.)1 635 3 900 6126 t
10 I f
(A)2249 6126 w
10 R f
( willing to)2 442(may be)1 305 2 2349 6126 t
(trust credentials from host)3 1100 1 900 6236 t
10 I f
(B)2043 6236 w
10 R f
(, and)1 212 1 2104 6236 t
10 I f
(B)2359 6236 w
10 R f
(may be willing)2 634 1 2462 6236 t
(to trust host)2 509 1 900 6346 t
10 I f
(C)1453 6346 w
10 R f
(, but)1 197 1 1520 6346 t
10 I f
(A)1761 6346 w
10 R f
(may not be willing to accept)5 1230 1 1866 6346 t
(tickets originally created on host)4 1340 1 900 6456 t
10 I f
(C)2273 6456 w
10 R f
(, which)1 302 1 2340 6456 t
10 I f
(A)2675 6456 w
10 R f
(believes)2769 6456 w
( indicate)1 366( has a \257ag bit to)5 756( Kerberos)1 447(to be insecure.)2 627 4 900 6566 t
16 R f
1980 6691 900 6691 Dl
8 R f
(9)966 6759 w
9 R f
( was built)2 411(Actually, a special-purpose ticket-forwarder)3 1679 2 1006 6791 t
( the implementation was of)4 1154( However,)1 450(for Version 4.)2 592 3 900 6891 t
( run)1 157(necessity awkward, and required participating hosts to)6 2039 2 900 6991 t
(an additional server.)2 748 1 900 7091 t
10 R f
( not include the)3 658(that a ticket was forwarded, but does)6 1538 2 3384 672 t
(original source.)1 629 1 3384 782 t
( that the)2 370(A second problem with forwarding is)5 1610 2 3600 925 t
(concept only makes sense if tickets include the net-)8 2196 1 3384 1035 t
( the address is omit-)4 841( If)1 133( principal.)1 414(work address of the)3 808 4 3384 1145 t
( a ticket may)3 561(ted \320 as is permitted in Version 5 \320)8 1635 2 3384 1255 t
( without any further)3 1009(be used from any host,)4 1187 2 3384 1365 t
( necessary)1 433( that is)2 311( All)1 208(modi\256cations to the protocol.)3 1244 4 3384 1475 t
( for)1 165(to employ such a ticket is a secure mechanism)8 2031 2 3384 1585 t
( But)1 220( key to the new host.)5 912(copying the multi-session)2 1064 3 3384 1695 t
( by an encrypted \256le)4 1031(that can be accomplished)3 1165 2 3384 1805 t
( existing facil-)2 613(transfer mechanism layered on top of)5 1583 2 3384 1915 t
( not require \257ag bits in the Kerberos)7 1676(ites; it does)2 520 2 3384 2025 t
(header.)3384 2135 w
( include the network address in a)6 1410(Is it useful to)3 570 2 3600 2278 t
( that)1 204( our assumption)2 699( Given)1 332( think not.)2 469(ticket? We)1 492 5 3384 2388 t
( is under full control of the attacker, no)8 1705(the network)1 491 2 3384 2498 t
(extra security is gained by relying on the network)8 2196 1 3384 2608 t
( of including it)3 652( fact, the primary bene\256t)4 1060(address. In)1 484 3 3384 2718 t
( authen-)1 338(appears to be preventing immediate reuse of)6 1858 2 3384 2828 t
(ticators from a different host.)4 1199 1 3384 2938 t
(Even with the protection provided by network)6 1980 1 3600 3081 t
(addresses, replay attacks that involve faked addresses)6 2196 1 3384 3191 t
( an)1 170( Furthermore,)1 633( again, see [Morr85].)3 992(are easy;)1 401 4 3384 3301 t
( the connection is set)4 922(attacker can always wait until)4 1274 2 3384 3411 t
(up and authenticated, and then take it over, thus)8 2196 1 3384 3521 t
(obviating any security provided by the presence of)7 2196 1 3384 3631 t
( these problems, and the cascad-)5 1386( Given)1 321(the address.)1 489 3 3384 3741 t
(ing trust issue raised earlier, we suggest that ticket-)8 2196 1 3384 3851 t
(forwarding be deleted.)2 916 1 3384 3961 t
( is)1 110(A new inter-realm authentication mechanism)4 1870 2 3600 4104 t
( if a user)3 469( Brie\257y,)1 402(also introduced in Version 5.)4 1325 3 3384 4214 t
( service in another realm, that user)6 1443(wishes to access a)3 753 2 3384 4324 t
( that)1 217(must \256rst obtain a ticket-granting ticket for)6 1979 2 3384 4434 t
( done by making the ticket-granting)5 1564( is)1 118(realm. This)1 514 3 3384 4544 t
( of another realm's TGS.)4 1055(server in a realm the client)5 1141 2 3384 4654 t
( realm's)1 356(It in turn may be a client of yet another)9 1840 2 3384 4764 t
( by each TGS)3 579( user's ticket request is signed)5 1261(TGS. A)1 356 3 3384 4874 t
( con\256gured)1 461(and passed along; realms will normally be)6 1735 2 3384 4984 t
( are)1 158(in a hierarchical fashion, though ``tandem links'')6 2038 2 3384 5094 t
(permitted.)3384 5204 w
( while appearing to)3 834(Unfortunately, this scheme,)2 1146 2 3600 5347 t
( de\256cient in several respects.)4 1270(solve the problem, is)3 926 2 3384 5457 t
( is no discussion of how)5 1009(First, and most serious, there)4 1187 2 3384 5567 t
( which of its neighboring)4 1201(a TGS can determine)3 995 2 3384 5677 t
( up the tree,)3 516( Moving)1 389(realms should be the next hop.)5 1291 3 3384 5787 t
( an obvious answer for leaf)5 1298(towards the root, is)3 898 2 3384 5897 t
( parent node would need com-)5 1301(nodes; however, each)2 895 2 3384 6007 t
(plete knowledge of its entire subtree's realms in)7 2196 1 3384 6117 t
( how to pass the request down-)6 1405(order to determine)2 791 2 3384 6227 t
( here to)2 449( are obvious analogies)3 1118(wards. There)1 629 3 3384 6337 t
( issues; note, though, that any)5 1301(network-layer routing)1 895 2 3384 6447 t
( protocol'' must include strong)4 1518(``realm routing)1 678 2 3384 6557 t
(authentication provisions.)1 1041 1 3384 6667 t
( static tables)2 588(Another answer is to say that)5 1392 2 3600 6810 t
( too, has its security limita-)5 1229( This,)1 290(should be used.)2 677 3 3384 6920 t
( administrators rely on electronic)4 1372( realm)1 264(tions: should)1 560 3 3384 7030 t
( calls to set up their)5 975(mail messages or telephone)3 1221 2 3384 7140 t
10 B f
(USENIX)900 7450 w
10 S1 f
(\261)1311 7450 w
10 B f
(Winter '91)1 471 1 1409 7450 t
10 S1 f
(\261)1913 7450 w
10 B f
( 7)1 3105(Dallas, TX)1 464 2 2011 7450 t
cleartomark
showpage
restore
%%EndPage: 7 7
%%Page: 8 8
save
mark
8 pagesetup
10 B f
( & Merritt)2 469( Bellovin)1 3284(Kerberos Limitations)1 927 3 540 322 t
10 R f
( not authenticated,)2 789( such calls are)3 640( If)1 150(routing tables?)1 617 4 540 672 t
( they are, the secu-)4 822(the security risks are obvious; if)5 1374 2 540 782 t
( to the secu-)3 527(rity of a Kerberos realm is subordinated)6 1669 2 540 892 t
(rity of a totally different authentication system.)6 1932 1 540 1002 t
( inter-)1 278(There is also an evident link between)6 1702 2 756 1145 t
(realm authentication and the cascading-trust problem.)5 2196 1 540 1255 t
( to solve this by includ-)5 1012(Kerberos Version 5 attempts)3 1184 2 540 1365 t
( However,)1 461(ing path information in the ticket request.)6 1735 2 540 1475 t
( not clear)2 395(in the absence of a global name space, it is)9 1801 2 540 1585 t
( a neighbor, its)3 648( a realm is not)4 642( If)1 143(that this is useful.)3 763 4 540 1695 t
(name may not carry any global sign\256cance, whether)7 2196 1 540 1805 t
( to assess the)3 549( Furthermore,)1 592(by malice or coincidence.)3 1055 3 540 1915 t
(validity of a request, a server needs global)7 2196 1 540 2025 t
( possible tran-)2 584(knowledge of the trustworthiness of all)5 1612 2 540 2135 t
( is)1 122( a large internet, such knowledge)5 1464( In)1 170(sit realms.)1 440 4 540 2245 t
(probably not possible.)2 902 1 540 2355 t
10 B f
(KERBEROS HARDWARE DESIGN CRITERIA)3 2145 1 565 2547 t
(A Host Encryption Unit)3 1044 1 540 2712 t
10 R f
( major reasons we question the suita-)6 1541(One of the)2 439 2 756 2849 t
( hosts is the need for)5 869(bility of Kerberos for multi-user)4 1327 2 540 2959 t
( host were)2 532( if the)2 353( What)1 334(plaintext key storage.)2 977 4 540 3069 t
( We)1 221( an attached cryptographic unit?)4 1380(equipped with)1 595 3 540 3179 t
(consider the design parameters for such a box.)7 1907 1 540 3289 t
( goal is to perform cryptographic)5 1457(The primary)1 523 2 756 3432 t
( to comprom-)2 590(operations without exposing any keys)4 1606 2 540 3542 t
( tickets)1 299( operations must include validating)4 1453(ise. These)1 444 3 540 3652 t
( both)1 215(presented by remote users, creating requests for)6 1981 2 540 3762 t
( and application tickets, and)4 1282(ticket-granting tickets)1 914 2 540 3872 t
( Conse-)1 393(encrypting and decrypting conversations.)3 1803 2 540 3982 t
( secure storage for an adequate)5 1281(quently, there must be)3 915 2 540 4092 t
( must be)2 385(number of keys, and the operating system)6 1811 2 540 4202 t
( which)1 293(able to select which key should be used for)8 1903 2 540 4312 t
(function.)540 4422 w
( keys are)2 400(The next question, of course, is how)6 1580 2 756 4565 t
( tickets are)2 484( If)1 150( area.)1 241(entered into the secure storage)4 1321 4 540 4675 t
( but transferred to)3 796(decrypted by the encryption box)4 1400 2 540 4785 t
( for analysis, the embedded ses-)5 1400(the host's memory)2 796 2 540 4895 t
(sion key is exposed.)3 877 1 540 5005 t
8 I f
(10)1417 4973 w
10 R f
(Therefore, we conclude that)3 1190 1 1546 5005 t
( must understand the Ker-)4 1141(the encryption box itself)3 1055 2 540 5115 t
( will guarantee the secu-)4 1019(beros protocols; nothing less)3 1177 2 540 5225 t
(rity of the stored keys.)4 928 1 540 5335 t
( is more problematic, since)4 1179(Entry of user keys)3 801 2 756 5478 t
( user ter-)2 396( Unless)1 351(they must travel through the host.)5 1449 3 540 5588 t
( to the encryption unit,)4 976(minals are connected directly)3 1220 2 540 5698 t
( host,)1 254( them off the)3 627( Storing)1 391(there is little choice.)3 924 4 540 5808 t
( of expo-)2 400(though, is a signi\256cant help, as the period)7 1796 2 540 5918 t
( keys \320 service)3 673( Host-owned)1 557(sure is then minimized.)3 966 3 540 6028 t
(keys, or the keys that)4 930 1 540 6138 t
10 CW f
(root)1516 6138 w
10 R f
(would use to do NFS)4 933 1 1803 6138 t
( should be loaded via a Kerberos-)6 1713(mounts \320)1 483 2 540 6248 t
(authenticated service resident in the encryption unit.)6 2196 1 540 6358 t
16 R f
1620 6491 540 6491 Dl
8 R f
(10)606 6559 w
9 R f
( to do)2 242( program)1 345( A)1 135(This is not a hypothetical concern.)5 1328 4 686 6591 t
( posted to)2 389(just that \(for conventional passwords\) was)5 1625 2 540 6691 t
9 I f
(net-)2596 6691 w
(news)540 6791 w
9 R f
( operated by reading)3 877( It)1 154( as 1984.)2 416(as long ago)2 501 4 788 6791 t
9 CW f
(/dev/kmem)540 6891 w
9 R f
( was a princi-)3 510( existence of this program)4 969(. The)1 224 3 1033 6891 t
( the current restrictive permission set-)5 1420(pal factor motivating)2 776 2 540 6991 t
(tings on)1 295 1 540 7091 t
9 CW f
(/dev/kmem)865 7091 w
9 R f
(.)1358 7091 w
10 R f
(We shall return to this point below.)6 1461 1 3024 672 t
( that the protocol itself)4 1041(We must now ensure)3 939 2 3240 815 t
( Look-)1 310( to obtain keys.)3 635(does not provide a mechanism)4 1251 3 3024 925 t
( only ses-)2 415(ing at the message de\256nitions, we see that)7 1781 2 3024 1035 t
( are ever sent, and these are always sent)8 1794(sion keys)1 402 2 3024 1145 t
( user machines never gen-)4 1165(encrypted. Furthermore,)1 1031 2 3024 1255 t
( messages; they merely forward them.)5 1594(erate any such)2 602 2 3024 1365 t
( not have the ability to transmit a)7 1403(Thus, the box need)3 793 2 3024 1475 t
(key, thereby providing us with a very high level of)9 2196 1 3024 1585 t
(assurance that it will not do so.)6 1289 1 3024 1695 t
( box is used for the Kerberos)6 1297(If an encryption)2 683 2 3240 1838 t
( com-)1 260(server itself, the problem is somewhat more)6 1936 2 3024 1948 t
( are transmit-)2 560( are two places where keys)5 1136(plex. There)1 500 3 3024 2058 t
( ticket is granted, the ticket itself)6 1415( when a)2 348(ted. First,)1 433 3 3024 2168 t
( key, and a copy of that session)7 1430(contains a session)2 766 2 3024 2278 t
( client's ticket-)2 671(key is sent back encrypted in the)6 1525 2 3024 2388 t
( dia-)1 196( during the initial)3 737( Second,)1 392(granting session key.)2 871 4 3024 2498 t
( ticket-granting session key)3 1198(log with Kerberos, the)3 998 2 3024 2608 t
( password)1 419(must be sent out, encrypted in the client's)7 1777 2 3024 2718 t
( are)1 174( though, that permanent keys)4 1273(key. Note,)1 475 3 3024 2828 t
10 I f
(never)4999 2828 w
10 R f
( the encryption box)3 849(sent; again, this assures us that)5 1347 2 3024 2938 t
( since these)2 510( Furthermore,)1 608(will not give away keys.)4 1078 3 3024 3048 t
( can buy)2 368(session keys are intended to be random, we)7 1828 2 3024 3158 t
( great deal of security by including a)7 1713(ourselves a)1 483 2 3024 3268 t
(hardware random number generator on-board.)4 1873 1 3024 3378 t
(We are not too concerned about having to load)8 1980 1 3240 3521 t
( operation)1 410( This)1 244(client and server keys onto the board.)6 1542 3 3024 3631 t
(is done only by the Kerberos master server, for)8 2196 1 3024 3741 t
( in)1 126(which strong physical security must be assumed)6 2070 2 3024 3851 t
( possible that such an encryption unit)6 1548( is)1 101( It)1 128(any event.)1 419 4 3024 3961 t
( even)1 240(can be made suf\256ciently tamper-resistant that)5 1956 2 3024 4071 t
(workstations can use them; certainly, there are com-)7 2196 1 3024 4181 t
( such)1 280(mercial cryptographic devices that claim)4 1916 2 3024 4291 t
(strengths.)3024 4401 w
( is)1 124(One major objection to this entire scheme)6 1856 2 3240 4544 t
( the encryption box is controlled by)6 1565(that ultimately,)1 631 2 3024 4654 t
( if)1 105( Thus,)1 302(the host computer.)2 779 3 3024 4764 t
10 CW f
(root)4254 4764 w
10 R f
(is compromised,)1 681 1 4539 4764 t
( bogus tick-)2 504(the host could instruct the box to create)7 1692 2 3024 4874 t
( as)1 122( However,)1 462( concerns are certainly valid.)4 1205(ets. Such)1 407 4 3024 4984 t
( consider such temporary breaches of)5 1527(noted above, we)2 669 2 3024 5094 t
( compromise)1 542(security to be far less serious than the)7 1654 2 3024 5204 t
( using a separate unit allows)5 1214( Furthermore,)1 600(of a key.)2 382 3 3024 5314 t
(us to create untamperable logs, etc.)5 1445 1 3024 5424 t
( keys.)1 257(It is also desirable to prevent misuse of)7 1723 2 3240 5567 t
( not want the login key used to)7 1349(For example, we do)3 847 2 3024 5677 t
( that just happens)3 757(decrypt the arbitrary block of text)5 1439 2 3024 5787 t
( keys)1 237( Accordingly,)1 611( ticket.)1 301(to be the ticket-granting)3 1047 4 3024 5897 t
( login key)2 454( A)1 157( purpose.)1 393(should be tagged with their)4 1192 4 3024 6007 t
( only to decrypt the ticket-granting)5 1540(should be used)2 656 2 3024 6117 t
( key associated with it should be used only)8 1790(ticket; the)1 406 2 3024 6227 t
( the encryp-)2 514( Since)1 299(for obtaining service tickets, etc.)4 1383 3 3024 6337 t
( performing all of the key management,)6 1727(tion box is)2 469 2 3024 6447 t
(this is not a dif\256cult problem.)5 1224 1 3024 6557 t
10 B f
(The Key Storage Unit)3 954 1 3024 6804 t
(8 USENIX)1 3483 1 540 7450 t
10 S1 f
(\261)4056 7450 w
10 B f
(Winter '91)1 471 1 4154 7450 t
10 S1 f
(\261)4658 7450 w
10 B f
(Dallas, TX)1 464 1 4756 7450 t
cleartomark
showpage
restore
%%EndPage: 8 8
%%Page: 9 9
save
mark
9 pagesetup
10 B f
( Limitations)1 528( Kerberos)1 3332(Bellovin & Merritt)2 820 3 900 322 t
10 R f
( technologies may be used to)5 1402(A variety of)2 578 2 1116 672 t
(implement encryption units, ranging from special)5 2196 1 900 782 t
( dedicated microcomputers connected to)4 1785(boards to)1 411 2 900 892 t
( the latter)2 415( If)1 143( by physically-secure lines.)3 1144(server hosts)1 494 4 900 1002 t
( use its disk storage)4 823(is used, there is the temptation to)6 1373 2 900 1112 t
( attached)1 370(to hold the service keys associated with the)7 1826 2 900 1222 t
( media)1 279( Any)1 240(host, but we feel that that is inadvisable.)7 1677 3 900 1332 t
( must be backed up, and the backups)7 1695(of that sort)2 501 2 900 1442 t
( a high degree of)4 774( Such)1 283(must be carefully guarded.)3 1139 3 900 1552 t
( be impractical in some environments.)5 1656(security may)1 540 2 900 1662 t
( in volatile)2 502(Instead, we suggest that keys be kept)6 1694 2 900 1772 t
( from a secure)3 612(memory, and downloaded)2 1072 2 900 1882 t
10 I f
(keystore)2624 1882 w
10 R f
(on)2996 1882 w
( Thus,)1 307( encryption-protected channel.)2 1264(request, via an)2 625 3 900 1992 t
( be stored within the box;)5 1104(only one master key need)4 1092 2 900 2102 t
( either be in non-volatile storage, or be)7 1617(this key could)2 579 2 900 2212 t
(supplied by an operator when necessary.)5 1658 1 900 2322 t
( secure, reli-)2 547(More generally, the keystore is a)5 1433 2 1116 2465 t
(able repository for a limited amount of information.)7 2196 1 900 2575 t
( the keystore could package arbitrary data)6 1745(A client of)2 451 2 900 2685 t
(to be retained by the keystore, and retrieved at a)9 2196 1 900 2795 t
( the service keys and tags, in)6 1211( data \320)2 336( This)1 246(later date.)1 403 4 900 2905 t
( or even a conven-)4 848(the case of an encryption unit,)5 1348 2 900 3015 t
( be uninterpreted by)3 882(tional Kerberos host \320 would)4 1314 2 900 3125 t
( and retrieval requests would)4 1265( Storage)1 392(the keystore.)1 539 3 900 3235 t
( course.)1 361(be authenticated by Kerberos tickets, of)5 1835 2 900 3345 t
(Only encrypted transfer \(KRB)3 1370 1 900 3455 t
10 S f
(_)2270 3455 w
10 R f
(PRIV\) should be)2 776 1 2320 3455 t
( against disclosure of such)4 1194(employed, as insurance)2 1002 2 900 3565 t
(sensitive material.)1 735 1 900 3675 t
(As noted, the same keystore protocol could be)7 1980 1 1116 3818 t
( additional keys for new instances of)6 1578(used to supply)2 618 2 900 3928 t
( example, a user)3 687( For)1 209(the same client.)2 648 3 900 4038 t
10 I f
(pat)2482 4038 w
10 R f
(could have)1 448 1 2648 4038 t
(a separate instance)2 771 1 900 4148 t
10 I f
(pat.email)1708 4148 w
10 R f
(, for receiving encrypted)3 1013 1 2083 4148 t
( instance would be)3 797( key for that)3 533( The)1 229(electronic mail.)1 637 4 900 4258 t
(restricted to that user, of course.)5 1323 1 900 4368 t
( are)1 187(Generally, transactions with the keystore)4 1793 2 1116 4511 t
( there is some ques-)4 833( However,)1 458(initiated by the client.)3 905 3 900 4621 t
( as)1 123(tion about how to create the additional user keys,)8 2073 2 900 4731 t
( sources)1 350(user workstations are not particularly good)5 1846 2 900 4841 t
( to provide a)3 541( best alternative is)3 760( The)1 225(of random keys.)2 670 4 900 4951 t
( service on the network.)4 1128(\(secure\) random number)2 1068 2 900 5061 t
( this service)2 539(When a new client instance is added,)6 1657 2 900 5171 t
(would be consulted to generate the key; both Ker-)8 2196 1 900 5281 t
(beros and the keystore would be told about the key.)9 2130 1 900 5391 t
10 B f
(SECURITY VALIDATION)1 1200 1 1398 5583 t
10 R f
( we are asking if)4 743( that)1 195( By)1 195(Is Kerberos correct?)2 847 4 1116 5748 t
( or)1 151( the design)2 521( in)1 180(there are bugs \(or trapdoors!\))4 1344 4 900 5858 t
( bugs that could be used)5 1023(implementation of Kerberos,)2 1173 2 900 5968 t
( Some)1 300( system that relies on Kerberos.)5 1329(to penetrate a)2 567 3 900 6078 t
(would say that by making the code widely available,)8 2196 1 900 6188 t
( have enabled would-be penetrators)4 1482(the implementors)1 714 2 900 6298 t
( knowledge of the system, thereby)5 1460(to gain a detailed)3 736 2 900 6408 t
( reject that)2 475( We)1 223( task considerably.)2 800(simplifying their)1 698 4 900 6518 t
(notion.)900 6628 w
(In the late nineteenth century, Kerckhoffs for-)6 1980 1 1116 6771 t
( under which the security)4 1069(mulated the basic principal)3 1127 2 900 6881 t
( systems should be evaluated: all)5 1498(of cryptographic)1 698 2 900 6991 t
( be)1 128(details of the system design should be assumed to)8 2068 2 900 7101 t
( cryptographic keys)2 845( Only)1 286(known by the adversary.)3 1065 3 3384 672 t
( should be unavail-)3 817(speci\256cally assumed to be secret)4 1379 2 3384 782 t
(able to an attacker.)3 837 1 3384 892 t
8 R f
([Kahn67, Kerc83])1 605 1 4221 892 t
10 R f
( basic)1 259(Given this)1 442 2 4879 892 t
( is)1 122(premise, the security of a cryptographic system)6 2074 2 3384 1002 t
(evaluated based on concerted efforts at cryptanalysis.)6 2178 1 3384 1112 t
( as an authentica-)3 722(Kerberos is designed primarily)3 1258 2 3600 1255 t
( incorporating a traditional cryptosystem)4 1714(tion system)1 482 2 3384 1365 t
( Encryption Standard\) as a component.)5 1783(\(the Data)1 413 2 3384 1475 t
( the philosophy guiding Kerckhoffs')4 1554(Never the less,)2 642 2 3384 1585 t
( of the)2 303(evaluation criterion applies to the evaluation)5 1893 2 3384 1695 t
( details of Kerberos's)3 1000( The)1 261(security of Kerberos.)2 935 3 3384 1805 t
(design and implementation must be assumed known)6 2196 1 3384 1915 t
( may also be in league)5 950(to a prospective attacker, who)4 1246 2 3384 2025 t
(with some subset of servers, clients, and \(in the case)9 2196 1 3384 2135 t
(of hierarchically-con\256gured realms\) some authentica-)4 2196 1 3384 2245 t
( if and only if it can)6 866( is secure)2 395( Kerberos)1 435(tion servers.)1 500 4 3384 2355 t
( clients and servers, beginning only with)6 1678(protect other)1 518 2 3384 2465 t
( keys are)2 428(the premise that these client and server)6 1768 2 3384 2575 t
( encryption system is secure.)4 1319(secret, and that the)3 877 2 3384 2685 t
( the absence of a central, trusted ``vali-)7 1661(Moreover, in)1 535 2 3384 2795 t
( of Kerberos)2 526(dation authority'', each prospective user)4 1670 2 3384 2905 t
( course, a)2 417( Of)1 182( its security.)2 524(is responsible for judging)3 1073 4 3384 3015 t
(public discussion of system security and publication)6 2196 1 3384 3125 t
( facilitate such judge-)3 988(of security evaluations will)3 1208 2 3384 3235 t
(ments.)3384 3345 w
(By describing the Kerberos design in publica-)6 1980 1 3600 3488 t
( source code publically avail-)4 1279(tions and making the)3 917 2 3384 3598 t
( and implementors at)3 955(able, the Kerberos designers)3 1241 2 3384 3708 t
( a commendable effort to)4 1083(Project Athena have made)3 1113 2 3384 3818 t
(encourage just such a public system validation.)6 2196 1 3384 3928 t
( is itself part of that pro-)6 1115(Obviously, this document)2 1081 2 3384 4038 t
( design and its implemen-)4 1077( the system)2 470(cess. However,)1 649 3 3384 4148 t
( modi\256cation, in)2 741(tation have undergone signi\256cant)3 1455 2 3384 4258 t
( We)1 211( discussion.)1 482(part as a consequence of this public)6 1503 3 3384 4368 t
( and imple-)2 471(stress that each modi\256cation to the design)6 1725 2 3384 4478 t
( in a new system whose security)6 1479(mentation results)1 717 2 3384 4588 t
( of)1 132( \(Examples)1 509(properties must be considered anew.)4 1555 3 3384 4698 t
( are the incorporation of)4 1348(such modi\256cations)1 848 2 3384 4808 t
(hierarchically-organized servers and forwardable tick-)4 2196 1 3384 4918 t
(ets in Version 5.\))3 712 1 3384 5028 t
( of Kerberos)2 642(Hence, on-going modi\256cation)2 1338 2 3600 5171 t
(makes it a moving target for security validation)7 2196 1 3384 5281 t
( would thus be)3 625( detailed security analysis)3 1065(attempts. A)1 506 3 3384 5391 t
( Ker-)1 227( the proposed changes to)4 1071(premature. However,)1 898 3 3384 5501 t
( so)1 142(beros in the next few section are intended, not)8 2054 2 3384 5611 t
( facilitate the)2 573(much to defeat speci\256c attacks, as to)6 1623 2 3384 5721 t
( these suggestions)2 784( particular,)1 462( In)1 171(validation process.)1 779 4 3384 5831 t
( more modular, in)3 824(are intended to make Kerberos)4 1372 2 3384 5941 t
( make)1 264( so should)2 450( Doing)1 330(design and implementation.)2 1152 4 3384 6051 t
( of modi\256cations more)3 1058(the security consequences)2 1138 2 3384 6161 t
( incremental approach to)3 1079(apparant, and facilitate an)3 1117 2 3384 6271 t
(Kerberos security validation.)2 1172 1 3384 6381 t
10 B f
(Message Encoding and Cut-and-Paste Attacks)4 2004 1 3384 6628 t
10 R f
( analysis of the security of the Ker-)7 1503(The most simple)2 693 2 3384 6765 t
( check that there is no possi-)6 1251(beros protocols should)2 945 2 3384 6875 t
( messages sent in dif-)4 992(bility of ambiguity between)3 1204 2 3384 6985 t
( is, a ticket should never be)6 1276( That)1 273(ferent contexts.)1 647 3 3384 7095 t
10 B f
(USENIX)900 7450 w
10 S1 f
(\261)1311 7450 w
10 B f
(Winter '91)1 471 1 1409 7450 t
10 S1 f
(\261)1913 7450 w
10 B f
( 9)1 3105(Dallas, TX)1 464 2 2011 7450 t
cleartomark
showpage
restore
%%EndPage: 9 9
%%Page: 10 10
save
mark
10 pagesetup
10 B f
( & Merritt)2 469( Bellovin)1 3284(Kerberos Limitations)1 927 3 540 322 t
10 R f
( Such)1 269(interpretable as an authenticator, or vice versa.)6 1927 2 540 672 t
( redundancy in the pre-)4 1125(an analysis depends on)3 1071 2 540 782 t
( and)1 179(encryption binary encodings of each of the ticket)7 2017 2 540 892 t
( that analysis)2 604( Currently,)1 507(authenticator information.)1 1085 3 540 1002 t
( to the pro-)3 480(must be repeated with every modi\256cation)5 1716 2 540 1112 t
( repetitive and often intricate analysis)5 1695(tocol. This)1 501 2 540 1222 t
( encodings \(such as)3 818(would be unnecessary if standard)4 1378 2 540 1332 t
(ASN.1\))540 1442 w
8 R f
([ASN1, BER])1 501 1 848 1442 t
10 R f
( encodings)1 482( These)1 348(were used.)1 479 3 1427 1442 t
(should include the overall message type \(such as)7 2196 1 540 1552 t
(KRB)540 1662 w
10 S f
(_)746 1662 w
10 R f
(TGS)796 1662 w
10 S f
(_)985 1662 w
10 R f
(REP or KRB)2 541 1 1035 1662 t
10 S f
(_)1576 1662 w
10 R f
( with rea-)2 398(PRIV\). Together)1 712 2 1626 1662 t
( layer \(see)2 449(sonable assumptions about the encryption)4 1747 2 540 1772 t
( scheme would)2 653(the next section\), such an encoding)5 1543 2 540 1882 t
(greatly simplify the protocol validation process, par-)6 2196 1 540 1992 t
(ticularly as the protocol is modi\256ed or extended.)7 1993 1 540 2102 t
( been)1 278(Some use of ASN.1 encodings has)5 1702 2 756 2245 t
( rein-)1 242( We)1 225(adopted for other reasons in Version 5.)6 1729 3 540 2355 t
( that there are design principles other than)7 1782(force here)1 414 2 540 2465 t
(standards compatibility that motivate such a change.)6 2143 1 540 2575 t
10 B f
(The Encryption Layer)2 972 1 540 2822 t
10 R f
(Version 4 of Kerberos uses the nonstandard PCBC)7 2196 1 540 2959 t
(mode of encryption,)2 831 1 540 3069 t
10 I f
(propagating cipher block chain-)3 1329 1 1407 3069 t
(ing)540 3179 w
10 R f
(, in which plaintext block)4 1083 1 668 3179 t
10 I f
(i)1792 3179 w
10 S f
(+)1844 3179 w
10 R f
(1 is exclusive-or'ed)2 821 1 1915 3179 t
( ciphertext of block)3 887(with both the plaintext and)4 1220 2 540 3289 t
10 I f
(i)2708 3289 w
10 R f
( observed to have)3 746( mode was)2 455( This)1 250(before encryption.)1 745 4 540 3399 t
(poor propagation properties that permit message-)5 2196 1 540 3509 t
( of)1 144(stream modi\256cation: speci\256cally, if two blocks)5 2052 2 540 3619 t
(ciphertext are interchanged, only the corresponding)5 2196 1 540 3729 t
( 5 replaces)2 444( Version)1 383(blocks are garbled on decryption.)4 1369 3 540 3839 t
( mode,)1 300(PCBC mode with the standard CBC)5 1588 2 540 3949 t
10 I f
(cipher)2481 3949 w
(block chaining)1 607 1 540 4059 t
10 R f
( cipher-)1 324(, which exclusive-or's just the)4 1265 2 1147 4059 t
( block)1 255(text of)1 267 2 540 4169 t
10 I f
(i)1095 4169 w
10 R f
(with the plaintext of block)4 1087 1 1156 4169 t
10 I f
(i)2276 4169 w
10 S f
(+)2328 4169 w
10 R f
(1 before)1 337 1 2399 4169 t
( as of Draft 2, the exact)6 1023( checksum \320)2 577(encryption. A)1 596 3 540 4279 t
( \320 is used to detect)5 901(form had not been determined)4 1295 2 540 4389 t
( dupli-)1 279( order to ensure that)4 854( In)1 155(message modi\256cation.)1 908 4 540 4499 t
( different encryptions, random)3 1337(cate messages have)2 859 2 540 4609 t
( to some message)3 804(initial ``confounders'' are added)3 1392 2 540 4719 t
( addition, Version 5 supports alternative)5 1704(formats. In)1 492 2 540 4829 t
(encryption algorithms as options.)3 1357 1 540 4939 t
( checksum mechanisms)2 963(Both the confounder and)3 1017 2 756 5082 t
( encryp-)1 351(are meant to augment the security of CBC)7 1845 2 540 5192 t
( in a separate encryption layer, not)6 1437( belong)1 306(tion. They)1 453 3 540 5302 t
( protocols themselves.)2 953(at the level of the Kerberos)5 1243 2 540 5412 t
(Further, the confounder mechanism should be)5 2196 1 540 5522 t
( initial vector mechan-)3 934(replaced by using the standard)4 1262 2 540 5632 t
(ism of cipher-block chaining.)3 1200 1 540 5742 t
8 R f
([FIPS81, Davi89])1 574 1 1740 5742 t
10 R f
( modi\256cation during)2 851(To prevent message-stream)2 1129 2 756 5885 t
( uses a)2 320(authenticated or private sessions, Version 5)5 1876 2 540 5995 t
( to prevent entire encrypted messages)5 1564(timestamp \256eld)1 632 2 540 6105 t
( is another concern more)4 1066( This)1 256(from being replayed.)2 874 3 540 6215 t
( the encryption layer, where)4 1272(properly delegated to)2 924 2 540 6325 t
( packets of the entire session is)6 1381(chaining across the)2 815 2 540 6435 t
( chaining)1 433( \(Such)1 354(the more standard mechanism.)3 1409 3 540 6545 t
(avoids both the dependence on a clock and the need)9 2196 1 540 6655 t
(to cache recent timestamps.\))3 1160 1 540 6765 t
( protocols from the)3 916(Separating the Kerberos)2 1064 2 756 6908 t
( would facilitate both validation)4 1341(details of encryption)2 855 2 540 7018 t
( the Kerberos protocols, and)4 1352(of the security of)3 844 2 540 7128 t
( validations involving alternative)3 1349(implementations and)1 847 2 3024 672 t
( on mechanism,)2 736( much focus)2 592(cryptosystems. Too)1 868 3 3024 782 t
(while endemic to cryptographic protocol design,)5 2196 1 3024 892 t
(leads away from the need to state the basic proper-)9 2196 1 3024 1002 t
( would sug-)2 490( We)1 205( layer.)1 258(ties required of the encryption)4 1243 4 3024 1112 t
( starting)1 338(gest the following adversarial analysis as the)6 1858 2 3024 1222 t
( an adversary to)3 682(point for such a speci\256cation: allow)5 1514 2 3024 1332 t
( after the other, any number of messages)7 1716(submit, one)1 480 2 3024 1442 t
( an unknown key)3 715(for encryption under)2 842 2 3024 1552 t
10 I f
(K)4616 1552 w
10 R f
( adver-)1 289(. The)1 248 2 4683 1552 t
( suf\256xes)1 350(sary also has the ability to take pre\256xes and)8 1846 2 3024 1662 t
( exclusive-or known messages,)3 1329(of known messages,)2 867 2 3024 1772 t
( the end)2 336( At)1 168( or decrypt with known keys.)5 1215(and encrypt)1 477 4 3024 1882 t
( be able to)3 470(of this process, the adversary should not)6 1726 2 3024 1992 t
( those)1 274(produce any encrypted messages other than)5 1922 2 3024 2102 t
( an)1 184( Such)1 323( for encryption.)2 748(speci\256cally submitted)1 941 4 3024 2212 t
( schemes suscep-)2 725(analysis would preclude encryption)3 1471 2 3024 2322 t
(tible to simple chosen-plaintext attacks, as described)6 2196 1 3024 2432 t
(in a previous section.)3 873 1 3024 2542 t
(Given the intractability of reasoning about)5 1980 1 3240 2685 t
( proving complexity properties of any)5 1692(DES, or of)2 504 2 3024 2795 t
( such analyses)2 621(cryptosystem with bounded key size,)4 1575 2 3024 2905 t
( they)1 223( But)1 229(will be no guarantee of overall security.)6 1744 3 3024 3015 t
( of trivial cut-)3 609(can be used to preclude the existence)6 1587 2 3024 3125 t
(and-paste attacks.)1 717 1 3024 3235 t
8 R f
([DeMi83, Moor88])1 621 1 3741 3235 t
10 B f
( THE)1 385(RECOMMENDED CHANGES TO)2 1811 2 3024 3427 t
(KERBEROS PROTOCOL)1 1163 1 3240 3537 t
10 R f
( our recommended changes to the Ker-)6 1605(Below, we list)2 591 2 3024 3702 t
( our esti-)2 375( ranking is governed by)4 987( Our)1 224(beros protocol.)1 610 4 3024 3812 t
( and consequences of the)4 1181(mate of the likelihood)3 1015 2 3024 3922 t
( implement-)1 504(attack, balanced against the dif\256culty of)5 1692 2 3024 4032 t
(ing the modi\256cation.)2 847 1 3024 4142 t
( should be)2 561( challenge/response protocol)2 1290(a. A)1 190 3 3107 4252 t
( an optional alternative to time-)5 1482(offered as)1 441 2 3225 4362 t
(based authentication.)1 851 1 3225 4472 t
( as)1 149( a standard message encoding, such)5 1619(b. Use)1 279 3 3101 4582 t
( of the)2 329(ASN.1, which includes identi\256cation)3 1594 2 3225 4692 t
(message type within the encrypted data.)5 1637 1 3225 4802 t
( allow for)2 464( the basic login protocol to)5 1254(c. Alter)1 323 3 3107 4912 t
(handheld authenticators, in which)3 1390 1 3225 5022 t
10 S f
({)4654 5022 w
10 I f
(R)4710 5022 w
10 S f
(})4779 5022 w
10 I f
(K)4835 5022 w
7 I f
(C)4913 5042 w
10 R f
(, for)1 180 1 4968 5022 t
(a random)1 402 1 3225 5132 t
10 I f
(R)3680 5132 w
10 R f
(, is used to encrypt the server's)6 1407 1 3741 5132 t
(reply to the user, in place of the key)8 1729 1 3225 5242 t
10 I f
(K)5015 5242 w
7 I f
(C)5093 5262 w
10 R f
( allows)1 299( This)1 248(obtained from the user password.)4 1376 3 3225 5352 t
( with)1 212(the login procedure to prompt the user)6 1591 2 3225 5462 t
10 I f
(R)5062 5462 w
10 R f
(,)5123 5462 w
(who obtains)1 495 1 3225 5572 t
10 S f
({)3754 5572 w
10 I f
(R)3810 5572 w
10 S f
(})3879 5572 w
10 I f
(K)3935 5572 w
7 I f
(C)4013 5592 w
10 R f
( handheld device)2 696(from the)1 350 2 4102 5572 t
( the password)2 575(and returns that value instead of)5 1348 2 3225 5682 t
(itself.)3225 5792 w
( random initial vectors \(in)4 1082( such as)2 336(d. Mechanisms)1 629 3 3101 5902 t
( and)1 217(place of confounders\), block chaining)4 1706 2 3225 6012 t
( should be left to)4 720(message authentication codes)2 1203 2 3225 6122 t
( whose)1 416(a separate encryption layer,)3 1507 2 3225 6232 t
(information-hiding requirements are clearly)3 1923 1 3225 6342 t
( mechanisms based on)3 1055(explicated. Speci\256c)1 868 2 3225 6452 t
(DES should be validated and implemented.)5 1772 1 3225 6562 t
( client/server protocol should be modi\256ed)5 1768(e. The)1 273 2 3107 6672 t
( the multi-session key is used to nego-)7 1642(so that)1 281 2 3225 6782 t
( true session key, which is then used to)8 1669(tiate a)1 254 2 3225 6892 t
(protect the remainder of the session.)5 1487 1 3225 7002 t
( special-purpose hardware should)3 1434( for)1 172(f. Support)1 424 3 3118 7112 t
10 B f
(10 USENIX)1 3483 1 540 7450 t
10 S1 f
(\261)4056 7450 w
10 B f
(Winter '91)1 471 1 4154 7450 t
10 S1 f
(\261)4658 7450 w
10 B f
(Dallas, TX)1 464 1 4756 7450 t
cleartomark
showpage
restore
%%EndPage: 10 10
%%Page: 11 11
save
mark
11 pagesetup
10 B f
( Limitations)1 528( Kerberos)1 3332(Bellovin & Merritt)2 820 3 900 322 t
10 R f
( impor-)1 314( More)1 291(be added, such as the keystore.)5 1318 3 1101 672 t
( the Kerberos)2 609(tantly, future enhancements to)3 1314 2 1101 782 t
(protocol should be designed under the)5 1923 1 1101 892 t
( a multi-)2 401(assumption that a host, particularly)4 1522 2 1101 1002 t
( and key-)2 415(user host, may be using encryption)5 1508 2 1101 1112 t
(storage hardware.)1 716 1 1101 1222 t
( password-guessing)1 824( protect against trivial)3 988(g. To)1 235 3 977 1332 t
(attacks, the protocol should not distribute tick-)6 1923 1 1101 1442 t
( password-)1 470(ets for users \(encrypted with the)5 1453 2 1101 1552 t
( initial exchange should)3 1051(based key\), and the)3 872 2 1101 1662 t
(authenticate the user to the Kerberos server.)6 1801 1 1101 1772 t
( optional extensions should be)4 1415( for)1 191(h. Support)1 441 3 977 1882 t
( an option to protect)4 921( particular,)1 462(included. In)1 540 3 1101 1992 t
( attacks via eaves-)3 824(against password-guessing)1 1099 2 1101 2102 t
(dropping may be a desirable feature.)5 1497 1 1101 2212 t
10 B f
(ACKNOWLEDGEMENTS)1408 2404 w
10 R f
( thank D. Davis and T.H.)5 1184(We would like to)3 796 2 1116 2569 t
( We'd)1 287( comments on an early draft.)5 1182(Foregger for their)2 727 3 900 2679 t
(especially like to thank C. Neuman for his detailed)8 2196 1 900 2789 t
( and his wil-)3 545(reviews of many versions of the paper,)6 1651 2 900 2899 t
( Griffeth)1 368( W.)1 199( discuss the issues with us.)5 1177(lingness to)1 452 4 900 3009 t
( on)1 176(helped us with preparation of the appendix)6 2020 2 900 3119 t
( we'd like to thank the Project)6 1468( Finally,)1 410(Draft 3.)1 318 3 900 3229 t
( development staff for their ini-)5 1321(Athena and Kerberos)2 875 2 900 3339 t
( their)1 247(tial design and implementation of Kerberos,)5 1949 2 900 3449 t
(solicitation of comments, and their responsiveness to)6 2196 1 900 3559 t
(our criticisms.)1 580 1 900 3669 t
10 B f
( 5 DRAFT 3)3 543(APPENDIX: VERSION)1 1071 2 1191 3861 t
10 R f
( way towards alleviating)3 1006(Draft 3 has gone a long)5 974 2 1116 4026 t
( problems have been \256xed, and)5 1332( Many)1 309(our concerns.)1 555 3 900 4136 t
( made for compatible enhance-)4 1315(provisions have been)2 881 2 900 4246 t
( are)1 158( These)1 308( issues.)1 301(ments to resolve other outstanding)4 1429 4 900 4356 t
( some)1 280( Still,)1 295( ongoing discussion.)2 908(being re\256ned in)2 713 4 900 4466 t
( addi-)1 258( In)1 169( or unaddressed.)2 707(issues remain unresolved)2 1062 4 900 4576 t
( areas of the)3 514(tion, we raise new issues related to older)7 1682 2 900 4686 t
(speci\256cation.)900 4796 w
( few places, we mention changes that may)7 1811(In a)1 169 2 1116 4939 t
( the speci\256cation; the)3 906(be made in future revisions of)5 1290 2 900 5049 t
( our under-)2 503(reader is cautioned that these represent)5 1693 2 900 5159 t
(standing, and only our understanding, of a continuing)7 2196 1 900 5269 t
(process.)900 5379 w
( summary omits areas)3 940(With one exception, this)3 1040 2 1116 5522 t
( was clear or was clari\256ed)5 1138(where the authors' intent)3 1058 2 900 5632 t
( \320 a way)3 415( exception)1 422( That)1 250(in private communications.)2 1109 4 900 5742 t
( to subvert bidirectional)3 1033(to misuse weak checksums)3 1163 2 900 5852 t
( to demonstrate the deli-)4 1015(authentication \320 we include)3 1181 2 900 5962 t
( and speci\256cation of)3 942(cacy inherent in the design)4 1254 2 900 6072 t
(authentication protocols.)1 996 1 900 6182 t
10 B f
(Draft 3 and Our Recommended Changes)5 1786 1 900 6429 t
10 R f
( changes in)2 469(We begin by reviewing our recommended)5 1727 2 900 6566 t
( discussions with its)3 864( and subsequent)2 680( 3)1 83(light of Draft)2 569 4 900 6676 t
(authors.)900 6786 w
( KRB)1 378(a. The)1 273 2 983 6896 t
10 S f
(_)1634 6896 w
10 R f
(AS)1684 6896 w
10 S f
(_)1812 6896 w
10 R f
(REQ/KRB)1862 6896 w
10 S f
(_)2296 6896 w
10 R f
(AS)2346 6896 w
10 S f
(_)2474 6896 w
10 R f
(REP and)1 500 1 2524 6896 t
(KRB)1101 7006 w
10 S f
(_)1307 7006 w
10 R f
(TGS)1357 7006 w
10 S f
(_)1546 7006 w
10 R f
(REQ/KRB)1596 7006 w
10 S f
(_)2030 7006 w
10 R f
(TGS)2080 7006 w
10 S f
(_)2269 7006 w
10 R f
(REP exchanges)1 705 1 2319 7006 t
( authentication)1 607(now provide challenge/response)2 1316 2 1101 7116 t
( via a)2 264(of the server to the client)5 1120 2 3585 672 t
10 I f
(nonce)5018 672 w
10 R f
(\256eld,)5305 672 w
( on the workstation time.)4 1061(instead of depending)2 862 2 3585 782 t
( the)1 178(For application servers,)2 1004 2 3585 892 t
10 I f
(e)4823 892 w
10 S f
(-)4891 892 w
10 I f
(data)4962 892 w
10 R f
(\256eld in)1 312 1 5196 892 t
(the KRB)1 382 1 3585 1002 t
10 S f
(_)3967 1002 w
10 R f
(AP)4017 1002 w
10 S f
(_)4145 1002 w
10 R f
(ERR)4195 1002 w
10 S f
(_)4390 1002 w
10 R f
(METHOD error message)2 1068 1 4440 1002 t
( server to signal the client)5 1114(can be used by the)4 809 2 3585 1112 t
(to use a challenge/response alternative to the)6 1923 1 3585 1222 t
(time-based kerberos authentication.)2 1438 1 3585 1332 t
( is labeled with the message)5 1168( encrypted data)2 627(b. All)1 252 3 3461 1442 t
( integration of)2 586(type prior to encryption, via full)5 1337 2 3585 1552 t
( there were)2 536( Although)1 483(the ASN.1 standard.)2 904 3 3585 1662 t
( we applaud its)3 635(many reasons for this decision,)4 1288 2 3585 1772 t
(bene\256cial impact on security.)3 1200 1 3585 1882 t
( optional)1 396(c. An)1 240 2 3467 1992 t
10 I f
(padata)4171 1992 w
10 R f
(\256eld will probably be)3 990 1 4518 1992 t
( the KRB)2 478(added to)1 392 2 3585 2102 t
10 S f
(_)4455 2102 w
10 R f
(AS)4505 2102 w
10 S f
(_)4633 2102 w
10 R f
(REP to allow for)3 825 1 4683 2102 t
(handheld authenticator protocol extensions.)3 1766 1 3585 2212 t
( random ini-)2 512( discussed, mechanisms such as)4 1300(d. As)1 235 3 3461 2322 t
(tial vectors \(in place of confounders\), block)6 1923 1 3585 2432 t
( authentication codes are)3 1025(chaining and message)2 898 2 3585 2542 t
( to a separate encryption layer, with a)7 1580(now left)1 343 2 3585 2652 t
( and)1 198(much clearer discussion of requirements)4 1725 2 3585 2762 t
(of speci\256c mechanisms based on DES.)5 1588 1 3585 2872 t
( probably be added to the)5 1112( \256elds will)2 461(e. Optional)1 468 3 3467 2982 t
(AP)3585 3092 w
10 S f
(_)3713 3092 w
10 R f
(REQ and AP)2 586 1 3763 3092 t
10 S f
(_)4349 3092 w
10 R f
( support)1 356(REP messages to)2 753 2 4399 3092 t
(the negotiation of true session keys.)5 1472 1 3585 3202 t
( optional \256elds \(such as)4 1064( of)1 137(f. Addition)1 463 3 3478 3312 t
10 I f
(padata)5197 3312 w
10 R f
(\))5475 3312 w
( extensions that exploit)3 1192(should facilitate)1 731 2 3585 3422 t
(special-purpose hardware.)1 1054 1 3585 3532 t
( still does not authenticate)4 1088( initial exchange)2 680(g. The)1 279 3 3461 3642 t
( the)1 182( Thus,)1 318( the Kerberos server.)3 935(the user to)2 488 4 3585 3752 t
(Kerberos equivalent of)2 966 1 3585 3862 t
10 CW f
(/etc/passwd)4602 3862 w
10 R f
(must)5313 3862 w
( as public, and passwords must be)6 1507(be treated)1 416 2 3585 3972 t
( with password-)2 788(chosen and administered)2 1135 2 3585 4082 t
( the)1 210( However,)1 511( mind.)1 319(guessing attacks in)2 883 4 3585 4192 t
10 I f
(padata)3585 4302 w
10 R f
( optional implementa-)2 957(\256eld facilitates)1 627 2 3924 4302 t
(tion of such preauthentication mechanisms.)4 1766 1 3585 4412 t
( optional \256elds facilitate)3 1119( above, several)2 693(h. As)1 235 3 3461 4522 t
(extensions such as exponential-key exchange)4 1923 1 3585 4632 t
( against password-guessing via)3 1468(to protect)1 455 2 3585 4742 t
(eavesdropping.)3585 4852 w
( discuss some of the revisions)5 1256(The following sections)2 940 2 3384 4962 t
(in Draft 3 in more detail, and raise some new issues.)10 2171 1 3384 5072 t
10 B f
(Login Dialog)1 562 1 3384 5319 t
10 R f
( dialog has been enhanced to include)6 1577(The login)1 403 2 3600 5456 t
( can be)2 324( This)1 257( data \256eld.)2 461(an additional authentication)2 1154 4 3384 5566 t
( pre-)1 259(used to support hand-held authenticators,)4 1937 2 3384 5676 t
( the original request, and future exten-)6 1641(encryption of)1 555 2 3384 5786 t
( signi\256cant enhancement, but we)4 1460( is a)2 233(sions. This)1 503 3 3384 5896 t
( support for hand-held authenticators and)5 1764(regret that)1 432 2 3384 6006 t
(pre-encryption is not yet a part of the standard.)8 1935 1 3384 6116 t
( in the request)3 650(In particular, the optional \256eld)4 1330 2 3600 6259 t
( of pre-encryption.)2 815(message can support some sort)4 1381 2 3384 6369 t
( be sent both in the)5 828(For example, the nonce \256eld can)5 1368 2 3384 6479 t
( in the user's login key, thereby)6 1376(clear and encrypted)2 820 2 3384 6589 t
( client is legitimate, and pre-)5 1258(demonstrating that the)2 938 2 3384 6699 t
( encrypted with)2 673(cluding remote collection of tickets)4 1523 2 3384 6809 t
( discussed in the main body of)6 1372( As)1 195(the user's key.)2 629 3 3384 6919 t
( we feel such a mechanism should be)7 1742(this paper,)1 454 2 3384 7029 t
( Password-cracking)1 949(mandatory, not optional.)2 1247 2 3384 7139 t
10 B f
(USENIX)900 7450 w
10 S1 f
(\261)1311 7450 w
10 B f
(Winter '91)1 471 1 1409 7450 t
10 S1 f
(\261)1913 7450 w
10 B f
( 11)1 3105(Dallas, TX)1 464 2 2011 7450 t
cleartomark
showpage
restore
%%EndPage: 11 11
%%Page: 12 12
save
mark
12 pagesetup
10 B f
( & Merritt)2 469( Bellovin)1 3284(Kerberos Limitations)1 927 3 540 322 t
10 R f
( of data; there is no)5 893(programs require just this sort)4 1303 2 540 672 t
(need to provide grist for their mill.)6 1433 1 540 782 t
(As currently released, a challenge-response dia-)5 1980 1 756 925 t
( reply for-)2 432( 3)1 83( Draft)1 249(log cannot be implemented by the)5 1432 4 540 1035 t
( the request message possesses the)5 1663(mat. While)1 533 2 540 1145 t
( reply does not, and hence)5 1182(optional extra \256eld, the)3 1014 2 540 1255 t
( \256eld)1 234( this)1 200( Adding)1 388(cannot carry the encrypted key.)4 1374 4 540 1365 t
( support of exponential)3 963(would also permit compatible)3 1233 2 540 1475 t
( ran-)1 206(key exchange, wherein each party must send a)7 1990 2 540 1585 t
( understand that the optional)4 1250( We)1 224(dom exponential.)1 722 3 540 1695 t
(\256eld will probably be added to the reply.)7 1682 1 540 1805 t
10 B f
(The Encryption and Checksum Layers)4 1689 1 540 2052 t
10 R f
( now a separate, well-de\256ned encryp-)5 1630(There is)1 350 2 756 2189 t
( these)1 258( Among)1 386( properties.)1 477(tion layer, with speci\256ed)3 1075 4 540 2299 t
( be capable of detect-)4 916(are that the encryption module)4 1280 2 540 2409 t
( only sup-)2 428( The)1 228(ing any tampering with the message.)5 1540 3 540 2519 t
( is a CRC-32 check-)4 894(ported method, in this version,)4 1302 2 540 2629 t
( within the encrypted portion of the mes-)7 1739(sum sealed)1 457 2 540 2739 t
(sage.)540 2849 w
( of)1 134(The encryption layer also reaps the bene\256t)6 1846 2 756 2992 t
( the encoding includes a)4 1029( Since)1 296( encoding.)1 432(the ASN.1)1 439 4 540 3102 t
( for an attacker to)4 739(length \256eld, it is no longer possible)6 1457 2 540 3212 t
( present the shortened form)4 1180(truncate a message, and)3 1016 2 540 3322 t
( a decision were)3 738( If)1 155(as a valid encrypted message.)4 1303 3 540 3432 t
( with something)2 703(ever made to replace ASN.1 \(say,)5 1493 2 540 3542 t
( to be)2 320(more ef\256cient\), this property would need)5 1876 2 540 3652 t
(preserved.)540 3762 w
(The confounder has now been moved to the)7 1980 1 756 3905 t
(encryption layer, but there is still some confusion of)8 2196 1 540 4015 t
( encryption.)1 491(function with the IV used by CBC-mode)6 1705 2 540 4125 t
(As commonly used, an IV)4 1118 1 540 4235 t
10 I f
(is)1701 4235 w
10 R f
(a confounder \(see, for)3 925 1 1811 4235 t
( to hold it constant during a ses-)7 1350(example, [Voyd83]\);)1 846 2 540 4345 t
(sion negates its purpose and thus requires the addi-)8 2196 1 540 4455 t
( the IV be used)4 688( suggest that)2 540( We)1 216(tional confounder.)1 752 4 540 4565 t
( otherwise altered)2 735(as intended, and be incremented or)5 1461 2 540 4675 t
( be)1 146( values for it should)4 898( Initial)1 323(after each message.)2 829 4 540 4785 t
( derived from\) the authentica-)4 1291(exchanged during \(or)2 905 2 540 4895 t
( the)1 234( from simplifying)2 878( Apart)1 371(tion handshake.)1 713 4 540 5005 t
(de\256nition of the encryption function, this scheme)6 2196 1 540 5115 t
(would also allow detection of message deletions by)7 2196 1 540 5225 t
(interested applications.)1 929 1 540 5335 t
( IV to be)3 418(It could be argued that requiring the)6 1562 2 756 5478 t
( higher layer violates the layering we)6 1654(handled at a)2 542 2 540 5588 t
( an attri-)2 364( an IV is as much)5 756( However,)1 460(have espoused.)1 616 4 540 5698 t
( would be rea-)3 609( It)1 131( cryptosystem as is a key.)5 1081(bute of a)2 375 4 540 5808 t
(sonable to encapsulate the de\256nition of the IV into)8 2196 1 540 5918 t
( object passed down to the)5 1157(the de\256nition of the key)4 1039 2 540 6028 t
(encryption layer.)1 684 1 540 6138 t
( are not as)3 437(The properties required of checksums)4 1543 2 756 6281 t
( speci\256ed: CRC-32,)2 874( types are)2 466(well-de\256ned. Three)1 856 3 540 6391 t
( MD4 encrypted with DES.)4 1220(MD4 and)1 410 2 540 6501 t
8 R f
([Rive90])2170 6501 w
10 R f
(How-)2509 6501 w
( is made of their attributes, save that)7 1504(ever, no mention)2 692 2 540 6611 t
( is a crucial)3 499( This)1 250( labeled ``cryptographic''.)2 1077(some are)1 370 4 540 6721 t
( better classi\256cation)2 821( A)1 142(omission, as discussed below.)3 1233 3 540 6831 t
(is whether or not a checksum is ``collision-proof'',)7 2196 1 540 6941 t
( can construct a)3 701(that is, whether or not an attacker)6 1495 2 540 7051 t
( CRC-32)1 369( The)1 223( checksum.)1 459(new message with the same)4 1145 4 3024 672 t
( while MD4 is)3 740(checksum is not collision-proof,)3 1456 2 3024 782 t
( checksum)1 459( that encrypting a)3 798( Note)1 286(believed to be.)2 653 4 3024 892 t
( little protection; if the checksum is not)7 1639(provides very)1 557 2 3024 1002 t
( is public, an adversary)4 1023(collision-proof and the data)3 1173 2 3024 1112 t
( with)1 237(can compute the value and replace the data)7 1959 2 3024 1222 t
(another message with the same checksum value.)6 2196 1 3024 1332 t
(\(Several such attacks are indicated below.\))5 1746 1 3024 1442 t
10 B f
(Weak Checksums and Cut-and-Paste Attacks)4 1976 1 3024 1689 t
10 R f
( was the)2 379( 3)1 83( the major changes in Draft)5 1219(One of)1 299 4 3240 1826 t
( the additional)2 600(removal of encryption protection from)4 1596 2 3024 1936 t
( that may be enclosed)4 957(tickets and authorization data)3 1239 2 3024 2046 t
( a)1 77( \256elds are protected by)4 945( These)1 305(with certain requests.)2 869 4 3024 2156 t
( encrypted authenticator sent)3 1213(checksum sealed in the)3 983 2 3024 2266 t
( that the checksum algo-)4 1076( Assume)1 405(with the request.)2 715 3 3024 2376 t
( a literal)2 345( is permitted by)3 649( \(This)1 277(rithm used is CRC-32.)3 925 4 3024 2486 t
( that this)2 375( though we have learned)4 1039( 3,)1 108(reading of Draft)2 674 4 3024 2596 t
( this)1 224( With)1 312( the authors.\))2 632(was not the intent of)4 1028 4 3024 2706 t
( ENC-TKT-IN-)1 681(assumption, the existence of the)4 1515 2 3024 2816 t
( and)1 191(SKEY option leads to a major security breach,)7 2005 2 3024 2926 t
(in particular to the complete negation of bidirectional)7 2196 1 3024 3036 t
(authentication.)3024 3146 w
( ticket-)1 304(As usual, the client, possessing a valid)6 1676 2 3240 3289 t
( off a request for a new ticket)7 1304(granting ticket, sends)2 892 2 3024 3399 t
(for some service)2 759 1 3024 3509 t
10 I f
(S)3858 3509 w
10 R f
( enemy intercepts this)3 1024(. The)1 288 2 3908 3509 t
( the ENC-TKT-IN-)2 844( First,)1 305(request and modi\256es it.)3 1047 3 3024 3619 t
( speci\256es that the ticket, nor-)5 1244( This)1 254( is set.)2 289(SKEY bit)1 409 4 3024 3729 t
(mally encrypted in)2 793 1 3024 3839 t
10 I f
(S)3864 3839 w
10 R f
( encrypted in)2 563('s key, should be)3 743 2 3914 3839 t
(the session key of the enclosed ticket-granting ticket.)7 2196 1 3024 3949 t
( attacker's own ticket-granting ticket is)5 1701(Second, the)1 495 2 3024 4059 t
( session)1 334( the attacker knows its)4 969(enclosed. Obviously,)1 893 3 3024 4169 t
( data \256eld)2 440( the additional authorization)3 1196(key. Finally,)1 560 3 3024 4279 t
( is needed to)3 580(is \256lled in with whatever information)5 1616 2 3024 4389 t
(make the CRC match the original version.)6 1733 1 3024 4499 t
( ticket-granting)1 663( The)1 262(Consider what happens.)2 1055 3 3240 4642 t
(service, seeing a valid request, sends back a ticket.)8 2196 1 3024 4752 t
( key, will not)3 600(This ticket, encrypted in the enemy's)5 1596 2 3024 4862 t
( to the real service, but of course, it)8 1616(be intelligible)1 580 2 3024 4972 t
( legitimate client cannot tell)4 1152( The)1 221(will not get that far.)4 823 3 3024 5082 t
( by)1 136(that the ticket is misencrypted; tickets are, almost)7 2060 2 3024 5192 t
( a key known only to the)6 1198(de\256nition, encrypted in)2 998 2 3024 5302 t
( service is requested,)3 870( the)1 161( When)1 310(server and Kerberos.)2 855 4 3024 5412 t
( unseals the)2 546(the enemy intercepts the request and)5 1650 2 3024 5522 t
( request bidirectional authenti-)3 1256( client may)2 468(ticket. The)1 472 3 3024 5632 t
(cation; however, since the attacker has decrypted the)7 2196 1 3024 5742 t
( for that service request is)5 1208(ticket, the session key)3 988 2 3024 5852 t
( authentica-)1 477( the bidirectional)2 693(available. Consequently,)1 1026 3 3024 5962 t
(tion dialog may be spoofed without trouble.)6 1800 1 3024 6072 t
( factors interacted to)3 961(A number of different)3 1019 2 3240 6215 t
( the)1 223( is obvious:)2 548( One)1 267( possible.)1 421(make this attack)2 737 5 3024 6325 t
( what turned out to be)5 924(ticket request was protected by)4 1272 2 3024 6435 t
( collision-proof checksum)2 1119( a)1 108( If)1 163(a weak checksum.)2 806 4 3024 6545 t
( the attack would be infeasible; the enemy)7 1760(were used,)1 436 2 3024 6655 t
(could not have generated the additional authorization)6 2196 1 3024 6765 t
( to make the new request's)5 1317(data \256eld necessary)2 879 2 3024 6875 t
( there are)2 518( But)1 277(checksum match the original.)3 1401 3 3024 6985 t
( additional tickets used)3 997( if the)2 283( First,)1 292(subtleties here.)1 624 4 3024 7095 t
10 B f
(12 USENIX)1 3483 1 540 7450 t
10 S1 f
(\261)4056 7450 w
10 B f
(Winter '91)1 471 1 4154 7450 t
10 S1 f
(\261)4658 7450 w
10 B f
(Dallas, TX)1 464 1 4756 7450 t
cleartomark
showpage
restore
%%EndPage: 12 12
%%Page: 13 13
save
mark
13 pagesetup
10 B f
( Limitations)1 528( Kerberos)1 3332(Bellovin & Merritt)2 820 3 900 322 t
10 R f
( encrypted \(again\), they)3 974(by ENC-TKT-IN-SKEY were)2 1222 2 900 672 t
( protected by the very)4 982(would have been adequately)3 1214 2 900 782 t
(same CRC-32 checksum that was abused in the)7 2196 1 900 892 t
( encryption, the)2 714( because of the)3 727(attack. However,)1 755 3 900 1002 t
(enemy would be unable to either discern or match)8 2196 1 900 1112 t
( other words, the context is critical;)6 1466( In)1 150(the checksum.)1 580 3 900 1222 t
( from re-encrypting some encrypted)4 1487(merely refraining)1 709 2 900 1332 t
( checksum to protect it,)4 1039(data, while using the same)4 1157 2 900 1442 t
( have been)2 464( \(Note: we)2 525( breach.)1 334(has led to a security)4 873 4 900 1552 t
( the designers intended to require that the)7 1839(told that)1 357 2 900 1662 t
10 I f
(cname)900 1772 w
10 R f
( ticket match the name of the)6 1225(in the additional)2 674 2 1197 1772 t
( is being requested.)3 843(server for which the new ticket)5 1353 2 900 1882 t
( still permit the intended use)5 1206(This requirement would)2 990 2 900 1992 t
(of the option, but would foil the attack we describe.)9 2196 1 900 2102 t
( omit-)1 260(Apparently, the requirement was inadvertently)4 1936 2 900 2212 t
(ted from Draft 3.\))3 733 1 900 2322 t
( be possible using the)4 1025(A similar attack may)3 955 2 1116 2465 t
( option was designed for)4 1022( This)1 246(REUSE-SKEY option.)1 928 3 900 2575 t
(multicast key distribution; with a weak checksum, an)7 2196 1 900 2685 t
( abuse it to generate a service ticket)7 1680(attacker can)1 516 2 900 2795 t
( REUSE-SKEY option)2 993( The)1 251(whose key is known.)3 952 3 900 2905 t
( If)1 143( a related, albeit less serious, attack.)6 1547(also permits)1 506 3 900 3015 t
(two tickets,)1 495 1 900 3125 t
10 I f
(T)1454 3125 w
10 R f
(1 and)1 253 1 1518 3125 t
10 I f
(T)1830 3125 w
10 R f
( the same key, the)4 858(2, share)1 344 2 1894 3125 t
( and)1 187(attacker can intercept a request for one service,)7 2009 2 900 3235 t
( two tickets share)3 759( the)1 167( Since)1 300(redirect it to the other.)4 970 4 900 3345 t
(the same key, the authenticator will be accepted.)7 2196 1 900 3455 t
( possibility is depends on)4 1152(Just how damaging this)3 1044 2 900 3565 t
( share the same)3 657(what sorts of services might want to)6 1539 2 900 3675 t
( a \256le server and a backup server were)8 1663( say,)1 199(key. If,)1 334 3 900 3785 t
( an attacker might redirect some)5 1428(invoked this way,)2 768 2 900 3895 t
( being)1 287(requests to destroy archival copies of \256les)6 1909 2 900 4005 t
( to)1 141( solution to this particular attack is)6 1617(edited. A)1 438 3 900 4115 t
( a collision-proof)2 770(include either the service name,)4 1426 2 900 4225 t
( the ticket, or both, in the authenticator.)7 1674(checksum of)1 522 2 900 4335 t
( explicitly warns against using)4 1340( 3)1 83( sure, Draft)2 513(To be)1 260 4 900 4445 t
( for authentica-)2 653(tickets with DUPLICATE-SKEY set)3 1543 2 900 4555 t
( not)1 206( that obey this restriction are)5 1400(tion. Servers)1 590 3 900 4665 t
( we have been told)4 844( Also,)1 296( attack.)1 312(vulnerable to this)2 744 4 900 4775 t
( will probably be omit-)4 958(that the REUSE-SKEY option)3 1238 2 900 4885 t
(ted in future revisions of the protocol.)6 1560 1 900 4995 t
( attack of this sort can occur if the)8 1702(A last)1 278 2 1116 5138 t
( a different ticket for the legiti-)6 1404(attacker substitutes)1 792 2 900 5248 t
( from Kerberos.)2 678(mate one in key distribution replies)5 1518 2 900 5358 t
( does not con-)3 605(The encrypted part of such a message)6 1591 2 900 5468 t
(tain any checksum to validate that the message was)8 2196 1 900 5578 t
( this appears to)3 662( While)1 322( in transit.)2 443(not tampered with)2 769 4 900 5688 t
( denial-of-service attack than a penetration,)5 1783(be more a)2 413 2 900 5798 t
( this)1 216(it would be useful for the client to know)8 1980 2 900 5908 t
(immediately.)900 6018 w
( this list of potential attacks.)5 1183(Two issues underly)2 797 2 1116 6161 t
( not)1 185(As discussed, weak checksums \(encrypted but)5 2011 2 900 6271 t
( over public data\) allow an adver-)6 1400(collision-proof, and)1 796 2 900 6381 t
( messages.)1 457(sary to paste together legitimate-looking)4 1739 2 900 6491 t
( strong checksums and/or)3 1210(Message integrity via)2 986 2 900 6601 t
( to as many protocol)4 904(encryption should be extended)3 1292 2 900 6711 t
(messages \(and as many \256elds\) as possible.)6 1743 1 900 6821 t
( and ENC-TKT-IN-)2 836(Second, the REUSE-SKEY)2 1144 2 3600 672 t
( ``overload'' the basic protocol, in that)6 1604(SKEY options)1 592 2 3384 782 t
( or be encrypted)3 699(tickets may now share session keys)5 1497 2 3384 892 t
( is possible that)3 707( It)1 148( service.)1 361(in keys other than the)4 980 4 3384 1002 t
(there are other ways an attack could exploit the)8 2196 1 3384 1112 t
( options are intended for)4 1040( These)1 312(ensuing ambiguities.)1 844 3 3384 1222 t
( general authentication;)2 1027(very constrained uses, not)3 1169 2 3384 1332 t
( so intimately integrated into the)5 1397(they should not be)3 799 2 3384 1442 t
( same purposes)2 688( The)1 252( protocol.)1 422(basic authentication)1 834 4 3384 1552 t
( by adding separate message types)5 1492(would be served)2 704 2 3384 1662 t
( using)1 272(that cannot be misinterpreted as tickets, and)6 1924 2 3384 1772 t
(keys that are derived from but are not identical to)9 2196 1 3384 1882 t
(those used in the basic protocol.)5 1322 1 3384 1992 t
( analysis of the \256nal standard is)6 1392(Even then, an)2 588 2 3600 2135 t
( extension has not)3 824(needed, to assure that a minor)5 1372 2 3384 2245 t
( the)1 195( \(E.g.,)1 324(negated a security-critical assumption.)3 1677 3 3384 2355 t
( two tickets)2 495(basic Kerberos protocol assumes that no)5 1701 2 3384 2465 t
( tickets are always)3 860(share a session key, and that)5 1336 2 3384 2575 t
(encrypted with the server's key.\))4 1342 1 3384 2685 t
10 B f
(KRB)3384 2932 w
10 S f
(_)3601 2932 w
10 B f
(SAFE and KRB)2 701 1 3651 2932 t
10 S f
(_)4352 2932 w
10 B f
(PRIV Messages)1 676 1 4402 2932 t
10 R f
(The KRB)1 440 1 3600 3069 t
10 S f
(_)4040 3069 w
10 R f
(SAFE and KRB)2 755 1 4090 3069 t
10 S f
(_)4845 3069 w
10 R f
(PRIV messages)1 685 1 4895 3069 t
( distributed with the ticket for)5 1236(employ the session key)3 960 2 3384 3179 t
( 3)1 83( Draft)1 284( privacy, respectively.)2 913(integrity-checking and)1 916 4 3384 3289 t
(dictates that both use time-of-day values to guard)7 2196 1 3384 3399 t
( be problematic.)2 848(against replay, which may)3 1348 2 3384 3509 t
( limited)1 325(Currently, the resolution of the timestamp is)6 1871 2 3384 3619 t
( coarse for many)3 739(to 1 millisecond, which is far too)6 1457 2 3384 3729 t
( and other timestamps in the pro-)6 1405(applications. \(This)1 791 2 3384 3839 t
( probably be changed to microsecond reso-)6 1802(tocol will)1 394 2 3384 3949 t
(lution.\))3384 4059 w
( cache)1 268(A second problem area is the need for a)8 1712 2 3600 4202 t
( if such)2 394( Obviously,)1 550( timestamps.)1 556(of recently-used)1 696 4 3384 4312 t
( like \256le system)3 814(messages are used for things)4 1382 2 3384 4422 t
( size of the cache could rapidly become)7 1681(requests, the)1 515 2 3384 4532 t
( authenticated or)2 701( if two)2 295(unmanageable. Furthermore,)1 1200 3 3384 4642 t
(encrypted sessions run concurrently, the cache must)6 2196 1 3384 4752 t
( messages from one ses-)4 1038(be shared between them, or)4 1158 2 3384 4862 t
(sion can be replayed into the other.)6 1448 1 3384 4972 t
( idea of a)3 443(Both problems can be solved if the)6 1537 2 3600 5115 t
( of sequence)2 628(timestamp is abandoned in favor)4 1568 2 3384 5225 t
( be)1 135( random initial sequence number can)5 1547(numbers. A)1 514 3 3384 5335 t
( authenticator and/or in the)4 1288(transmitted with the)2 908 2 3384 5445 t
(KRB)3384 5555 w
10 S f
(_)3590 5555 w
10 R f
(AP)3640 5555 w
10 S f
(_)3768 5555 w
10 R f
(REP message; after each authenticated)4 1762 1 3818 5555 t
( be incremented.)2 684(message is sent, it would, of course,)6 1512 2 3384 5665 t
( a simple last-message counter.)4 1393(The cache is then)3 803 2 3384 5775 t
(This mechanism also provides the ability to detect)7 2196 1 3384 5885 t
( for gaps in sequence)4 914(deleted messages, by watching)3 1282 2 3384 5995 t
( session would)2 639( since each)2 489( And,)1 281(number utilization.)1 787 4 3384 6105 t
( would not)2 474(have its own initial sequence number, it)6 1722 2 3384 6215 t
( attacker to perform cross-stream)4 1414(be possible for an)3 782 2 3384 6325 t
( access to a common cache is)6 1241(replays, and concurrent)2 955 2 3384 6435 t
( advantage would be gained)4 1278( \(This)1 311(not necessary.)1 607 3 3384 6545 t
( session keys were)3 878(even with timestamps if true)4 1318 2 3384 6655 t
( likely that in a future revision, sequence)7 1716( is)1 106(used.\) It)1 374 3 3384 6765 t
( use)1 169(numbers will be provided as an alternative to the)8 2027 2 3384 6875 t
(of timestamps.)1 597 1 3384 6985 t
10 B f
(USENIX)900 7450 w
10 S1 f
(\261)1311 7450 w
10 B f
(Winter '91)1 471 1 1409 7450 t
10 S1 f
(\261)1913 7450 w
10 B f
( 13)1 3105(Dallas, TX)1 464 2 2011 7450 t
cleartomark
showpage
restore
%%EndPage: 13 13
%%Page: 14 14
save
mark
14 pagesetup
10 B f
( & Merritt)2 469( Bellovin)1 3284(Kerberos Limitations)1 927 3 540 322 t
(Authenticators)540 672 w
10 R f
( use of authenticators)3 923( still calls for the)4 764(Draft 3)1 293 3 756 809 t
( there is)2 386( However,)1 483( replay.)1 334(to guard against ticket)3 993 4 540 919 t
( to specify that addi-)4 901(now a provision for the server)5 1295 2 540 1029 t
( is required, and an optional data)6 1366(tional authentication)1 830 2 540 1139 t
(\256eld for this has been added to the KRB)8 1812 1 540 1249 t
10 S f
(_)2352 1249 w
10 R f
(ERROR)2402 1249 w
( implement)1 498( can be used to)4 777( This)1 282(reply message.)1 639 4 540 1359 t
(challenge/response schemes.)1 1155 1 540 1469 t
(The authenticator should have some other \256elds)6 1980 1 756 1612 t
( noted earlier,)2 569( As)1 178( it, some of them optional.)5 1098(added to)1 351 4 540 1722 t
( it)1 96(it must contain a collision-proof checksum linking)6 2100 2 540 1832 t
( an optional initial sequence)4 1353(to the ticket, and)3 843 2 540 1942 t
( be used by any applica-)5 1082( latter would)2 549(number. The)1 565 3 540 2052 t
( might wish to exchange encrypted or)6 1779(tions that)1 417 2 540 2162 t
(authenticated messages.)1 967 1 540 2272 t
( to)1 147(The authenticator is also the right place)6 1833 2 756 2415 t
( propose adding a)3 770( We)1 217( session key.)2 550(negotiate a true)2 659 4 540 2525 t
( and the)2 382(new \256eld for it to both the authenticator)7 1814 2 540 2635 t
(KRB)540 2745 w
10 S f
(_)746 2745 w
10 R f
(AP)796 2745 w
10 S f
(_)924 2745 w
10 R f
( actual session key)3 884( The)1 259(REP message.)1 619 3 974 2745 t
( an exclusive-or of the multises-)5 1369(could be formed by)3 827 2 540 2855 t
( randomly-)1 482(sion key associated with the ticket, a)6 1714 2 540 2965 t
( in the authenticator, and a similar)6 1572(generated \256eld)1 624 2 540 3075 t
( that this retains a)4 789( Note)1 273(\256eld in the reply message.)4 1134 3 540 3185 t
( if)1 129( compatibility with the current scheme:)5 1618(measure of)1 449 3 540 3295 t
( \256elds are not present, the multi-)6 1482(the two optional)2 714 2 540 3405 t
(session key will be used as the actual session key.)9 2064 1 540 3515 t
( true session keys, initial)4 1318(Negotiation of)1 662 2 756 3658 t
( IV's could be)3 598(sequence numbers, and confounders or)4 1598 2 540 3768 t
( standard mechanism, perhaps sub-)4 1488(combined in one)2 708 2 540 3878 t
( of the session)3 611(sumed as encryption-speci\256c sub\256elds)3 1585 2 540 3988 t
(key \256elds.)1 419 1 540 4098 t
10 B f
(Inter-Realm Authentication)1 1198 1 540 4345 t
10 R f
( still problematic.)2 777(Inter-realm authentication is)2 1203 2 756 4482 t
( con\256guration \256les can tell a Ker-)6 1432(Granted that static)2 764 2 540 4592 t
( the identities)2 559(beros server who its parent is, and even)7 1637 2 540 4702 t
( still no scalable)3 785(of all of its children, there is)6 1411 2 540 4812 t
( learn of grandchildren or more distant)6 1625(mechanism to)1 571 2 540 4922 t
(descendants.)540 5032 w
( is apparently the intention of the)6 1411(To be sure, it)3 569 2 756 5175 t
( name space be)3 708(authors that the Internet's domain)4 1488 2 540 5285 t
( \320 the)2 354(used to denote realms, and \320 implicitly)6 1842 2 540 5395 t
( from clear to us that)5 929( is far)2 269( It)1 140(hierarchy of servers.)2 858 4 540 5505 t
( such)1 260( Furthermore,)1 634( hierarchies coincide.)2 954(the two)1 348 4 540 5615 t
( alternative routing)2 894( No)1 247(usage is not required.)3 1055 3 540 5725 t
(mechanism has been suggested.)3 1294 1 540 5835 t
( pieces of the)3 652(Additionally, there are several)3 1328 2 756 5978 t
( with)1 214(protocol that are unclear or simply do not work)8 1982 2 540 6088 t
( example, ENC-TKT-IN-)2 1129( For)1 255(inter-realm tickets.)1 812 3 540 6198 t
( ticket-granting)1 636(SKEY and REUSE-KEY require the)4 1560 2 540 6308 t
( cannot do this if the)5 944( It)1 144( ticket.)1 297(server to decrypt a)3 811 4 540 6418 t
( Presum-)1 419( another realm.)2 657(ticket had been issued by)4 1120 3 540 6528 t
( course, the request could be sent to the other)9 1883(ably, of)1 313 2 540 6638 t
( not possess)2 500(realm's ticket-granting server, but it may)5 1696 2 540 6748 t
(the necessary key to generate the new ticket.)7 1834 1 540 6858 t
10 B f
(NEW RECOMMENDED CHANGES)2 1627 1 3308 672 t
10 R f
( recommended)1 640(Below, we include a new list of)6 1556 2 3024 837 t
( indicated are likely)3 853(changes, beyond those we have)4 1343 2 3024 947 t
( \256rst two are repeated from our)6 1361( The)1 233( adopted.)1 386(to be)1 216 4 3024 1057 t
( \(or will be\) implementable)4 1173(earlier list, and are now)4 1023 2 3024 1167 t
( to stress our belief)4 840(as options; we repeat them here)5 1356 2 3024 1277 t
(that they should be a mandatory part of the protocol.)9 2169 1 3024 1387 t
( allow for)2 464( the basic login protocol to)5 1254(a. Alter)1 323 3 3107 1497 t
(challenge/response handheld authenticators.)2 1776 1 3225 1607 t
( authenticate the)2 720( initial exchange should)3 1048(b. The)1 279 3 3101 1717 t
(user to the Kerberos server, to complicate)6 1923 1 3225 1827 t
(password-guessing attacks.)1 1095 1 3225 1937 t
( additional)1 450(c. Strong checksums, encryption, and)4 1591 2 3107 2047 t
( to assure integrity of the)5 1051(\256elds should be used)3 872 2 3225 2157 t
( example, tick-)2 626( \(For)1 245(basic Kerberos messages.)2 1052 3 3225 2267 t
(ets should be tied more closely to the contexts)8 1923 1 3225 2377 t
( used, by including service)4 1164(in which they are)3 759 2 3225 2487 t
( the encrypted part of)4 913(names in the ticket, and)4 1010 2 3225 2597 t
(KRB)3225 2707 w
10 S f
(_)3431 2707 w
10 R f
(AS)3481 2707 w
10 S f
(_)3609 2707 w
10 R f
( KRB)1 278(REP and)1 399 2 3659 2707 t
10 S f
(_)4336 2707 w
10 R f
(TGS)4386 2707 w
10 S f
(_)4575 2707 w
10 R f
(REP should)1 523 1 4625 2707 t
( tick-)1 224(contain collision-proof checksums of the)4 1699 2 3225 2817 t
(ets.\))3225 2927 w
( extensions not related to basic)5 1584(d. Protocol)1 463 2 3101 3037 t
( ENC-TKT-IN-SKEY and)2 1135(authentication \(the)1 788 2 3225 3147 t
( should be omitted or)4 938(REUSE-SKEY options\))1 985 2 3225 3257 t
(use distinct message and ticket formats.)5 1627 1 3225 3367 t
10 B f
(References)3890 3559 w
10 R f
( of Operation,'' Federal)3 1139( Modes)1 360(FIPS81. ``DES)1 697 3 3024 3724 t
( Standards Publication)2 996(Information Processing)1 984 2 3240 3834 t
( Bureau of Stan-)3 693( National)1 414( 1980\).)1 295(81 \(December)1 578 4 3240 3944 t
(dards, U.S. Department of Commerce)4 1543 1 3240 4054 t
( Systems \320 Open)3 785( Processing)1 477(ASN1. ``Information)1 934 3 3024 4197 t
( of)1 161(Systems Interconnection \320 Speci\256cation)3 1819 2 3240 4307 t
(Abstract Syntax Notation One \(ASN.1\),'' Inter-)5 1980 1 3240 4417 t
( International)1 610( 8824 \(1987\).)2 625(national Standard)1 745 3 3240 4527 t
( Interna-)1 380(Organization for Standardization and)3 1600 2 3240 4637 t
(tional Electrotechnical Committee)2 1387 1 3240 4747 t
( \320 Open)2 434( Processing Systems)2 883(BER. ``Information)1 879 3 3024 4890 t
( of)1 161(Systems Interconnection \320 Speci\256cation)3 1819 2 3240 5000 t
(Basic Encoding Rules for Abstract Syntax)5 1980 1 3240 5110 t
( Standard)1 396(Notation One \(ASN.1\),'' International)3 1584 2 3240 5220 t
( for)1 194( Organization)1 598( International)1 620(8825 \(1987\).)1 568 4 3240 5330 t
( Electrotechni-)1 609(Standardization and International)2 1371 2 3240 5440 t
(cal Committee)1 594 1 3240 5550 t
( and F. Piper,)3 629( Beker)1 293(Beke82. H.)1 543 3 3024 5693 t
10 I f
(Cipher Systems,)1 675 1 4545 5693 t
10 R f
(John Wiley & Sons \(1982\).)4 1129 1 3240 5803 t
( Bryant,)1 365(Brya88. B.)1 527 2 3024 5946 t
10 I f
(Designing an Authentication)2 1236 1 3984 5946 t
( Four Scenes)2 599( Dialogue in)2 580(System: A)1 469 3 3240 6056 t
10 R f
(, Draft)1 332 1 4888 6056 t
(February 8, 1988.)2 726 1 3240 6166 t
( and W.L. Price,)3 702( Davies)1 317(Davi89. D.W.)1 651 3 3024 6309 t
10 I f
(Security for)1 485 1 4735 6309 t
(Computer Networks,)1 898 1 3240 6419 t
10 R f
(John Wiley & Sons)3 988 1 4232 6419 t
( Edition)1 328(\(1989\). Second)1 651 2 3240 6529 t
( Davis and R. Swick,)4 920(Davi90. D.)1 532 2 3024 6672 t
10 I f
(Workstation Ser-)1 700 1 4520 6672 t
( at Project)2 490(vices and Kerberos Authentication)3 1490 2 3240 6782 t
(Athena,)3240 6892 w
10 R f
(MIT Laboratory for Computer Science)4 1628 1 3592 6892 t
(Technical Memorandum 424 \(February 1990\).)4 1892 1 3240 7002 t
( Deavours and L. Kruh,)4 1134(Deav85. C.A.)1 640 2 3024 7145 t
10 I f
(Machine)4871 7145 w
10 B f
(14 USENIX)1 3483 1 540 7450 t
10 S1 f
(\261)4056 7450 w
10 B f
(Winter '91)1 471 1 4154 7450 t
10 S1 f
(\261)4658 7450 w
10 B f
(Dallas, TX)1 464 1 4756 7450 t
cleartomark
showpage
restore
%%EndPage: 14 14
%%Page: 15 15
save
mark
15 pagesetup
10 B f
( Limitations)1 528( Kerberos)1 3332(Bellovin & Merritt)2 820 3 900 322 t
10 I f
(Cryptography and Modern Cryptanalysis,)3 1980 1 1116 672 t
10 R f
(Artech House \(1985\).)2 883 1 1116 782 t
( ``Protocols)1 501( DeMillo and M. Merritt,)4 1129(DeMi83. R.)1 566 3 900 925 t
(for Data Security,'')2 826 1 1116 1035 t
10 I f
(Computer)1991 1035 w
10 B f
(16)2440 1035 w
10 R f
( 39-50)1 282(\(2\) pp.)1 274 2 2540 1035 t
(\(February 1983\).)1 684 1 1116 1145 t
( Dif\256e and M.E. Hellman, ``New Direc-)6 1670(Diff76. W.)1 526 2 900 1288 t
(tions in Cryptography,'')2 1009 1 1116 1398 t
10 I f
(IEEE Transactions on)2 927 1 2169 1398 t
(Information Theory)1 810 1 1116 1508 t
10 B f
(6)1976 1508 w
10 R f
(pp. 644-654 \(November,)2 1037 1 2059 1508 t
(1976\).)1116 1618 w
( and R.H. Morris, ``Operat-)4 1188( Grampp)1 373(Gram84. F.T.)1 635 3 900 1761 t
(ing System Security,'')2 927 1 1116 1871 t
10 I f
(AT&T Bell Laboratories)2 1013 1 2083 1871 t
(Technical Journal)1 751 1 1116 1981 t
10 B f
(63)1913 1981 w
10 R f
( 1649-1672)1 480( pp.)1 158( 2\))1 130(\(8, Part)1 315 4 2013 1981 t
(A&T, \(October, 1984\).)2 939 1 1116 2091 t
( Kahn,)1 308(Kahn67. D.)1 554 2 900 2234 t
10 I f
( of)1 146( Story)1 278(Codebreakers: The)1 843 3 1829 2234 t
(Secret Writing,)1 613 1 1116 2344 t
10 R f
(Macmillan \(1967\).)1 757 1 1762 2344 t
( Kerckhoffs,)1 547(Kerc83. A.)1 531 2 900 2487 t
10 I f
( Mili-)1 275(La Cryptographie)1 769 2 2052 2487 t
(taire,)1116 2597 w
10 R f
(Libraire Militaire de L. Baudoin & Cie.,)6 1721 1 1375 2597 t
(Paris \(1883\).)1 524 1 1116 2707 t
( J.)1 145( Kohl, B. Clifford Neuman, and)5 1546(Kohl89. J.)1 505 3 900 2850 t
(Steiner,)1116 2960 w
10 I f
( Network Authentication)2 1038(The Kerberos)1 578 2 1480 2960 t
(Service,)1116 3070 w
10 R f
(MIT Project Athena \(November 6,)4 1587 1 1509 3070 t
( 5, Draft 2)3 434(1989\). Version)1 640 2 1116 3180 t
( J.)1 145( Kohl, B. Clifford Neuman, and)5 1546(Kohl90. J.)1 505 3 900 3323 t
(Steiner,)1116 3433 w
10 I f
( Network Authentication)2 1038(The Kerberos)1 578 2 1480 3433 t
(Service,)1116 3543 w
10 R f
(MIT Project Athena \(October 8, 1990\).)5 1626 1 1470 3543 t
(Version 5, Draft 3)3 750 1 1116 3653 t
( and A.M. Odlyzko,)3 865( LaMacchia)1 494(LaMa. B.A.)1 568 3 900 3796 t
10 I f
(Com-)2874 3796 w
( Discrete Logarithms in Prime)4 1478(putation of)1 502 2 1116 3906 t
(Fields)1116 4016 w
10 R f
( in preparation\))2 631(, \(Manuscript)1 579 2 1366 4016 t
( J.H. Saltzer,)2 597( Lomas, L. Gong,)3 828(Loma89. T.M.A.)1 771 3 900 4159 t
( ``Reducing Risks from)3 1079(and R.M. Needham,)2 901 2 1116 4269 t
(Poorly Chosen Keys,'')2 1057 1 1116 4379 t
10 I f
(Operating Systems)1 825 1 2271 4379 t
(Review)1116 4489 w
10 B f
(23)1502 4489 w
10 R f
( ACM, \(December)2 889( 14-18)1 331(\(5\) pp.)1 274 3 1602 4489 t
(1989\).)1116 4599 w
( Miller, B.C. Neuman, J.I. Schiller,)5 1620(Mill87. S.P.)1 576 2 900 4742 t
( and)1 184(and J.H. Saltzer, ``Kerberos Authentication)4 1796 2 1116 4852 t
(Authorization System,'' in)2 1211 1 1116 4962 t
10 I f
(Project Athena)1 673 1 2423 4962 t
(Technical Plan)1 651 1 1116 5072 t
10 R f
( Section)1 401( 1987\).)1 326(, \(December)1 568 3 1767 5072 t
(E.2.1)1116 5182 w
( Time Protocol,'')2 795( Mills, ``Network)2 804(Mill88. D.L.)1 597 3 900 5325 t
(RFC 1059 \(July 1988\).)3 947 1 1116 5435 t
( Time Protocol,'')2 795( Mills, ``Network)2 804(Mill89. D.L.)1 597 3 900 5578 t
(RFC 1119 \(September 1989\).)3 1207 1 1116 5688 t
( Failures in Cryp-)3 780( Moore, ``Protocol)2 792(Moor88. J.H.)1 624 3 900 5831 t
(tosystems,'')1116 5941 w
10 I f
(Proc. IEEE)1 523 1 1690 5941 t
10 B f
(76)2301 5941 w
10 R f
( 594-602)1 421(\(5\) pp.)1 274 2 2401 5941 t
(\(May 1988\).)1 507 1 1116 6051 t
( Thompson., ``UNIX)2 935( Morris and K.)3 723(Morr79. R.)1 538 3 900 6194 t
(Password Security,'')1 881 1 1116 6304 t
10 I f
( the)1 195(Communications of)1 830 2 2071 6304 t
(ACM)1116 6414 w
10 B f
(22)1360 6414 w
10 R f
(\(11\) p. 594 \(November 1979\).)4 1235 1 1460 6414 t
( in the 4.2BSD)3 628( Morris, ``A Weakness)3 944(Morr85. R.T.)1 624 3 900 6557 t
( Computing Science Techni-)3 1188(TCP/IP Software,'')1 792 2 1116 6667 t
( Bell Laboratories,)2 786( AT&T)1 350( No. 117,)2 412(cal Report)1 432 4 1116 6777 t
(Murray Hill, New Jersey \(February 1985\).)5 1733 1 1116 6887 t
( Datagram Protocol.,'')2 976( Postel, ``User)2 650(Post80. J.B.)1 570 3 900 7030 t
(RFC 768 \(August 28, 1980\).)4 1177 1 1116 7140 t
( ``Transmission Control Proto-)3 1308( Postel,)1 318(Post81. J.B.)1 570 3 3384 672 t
(col.,'' RFC 793 \(September 1981\).)4 1428 1 3600 782 t
( Harrenstien, ``Time Pro-)3 1041( Postel and K.)3 585(Post83. J.B.)1 570 3 3384 925 t
(tocol.,'' RFC 868 \(May 1983\).)4 1262 1 3600 1035 t
( message digest algo-)3 932( Rivest, ``MD4)2 656(Rive90. R.L.)1 608 3 3384 1178 t
(rithm,'' RFC 1186 \(October 1990\).)4 1442 1 3600 1288 t
( communication June)2 933( Saltzer, private)2 705(Salt90. J.H.)1 558 3 3384 1431 t
(19, 1990.)1 383 1 3600 1541 t
( Neuman, and J.I. Schiller,)4 1213( Steiner, C.)2 522(Stei88. J.)1 461 3 3384 1684 t
( Open)1 250(``Kerberos: An Authentication Service for)4 1730 2 3600 1794 t
(Network Systems,'' in)2 984 1 3600 1904 t
10 I f
(Proc. Winter)1 557 1 4650 1904 t
9 I f
(USENIX)5270 1904 w
10 I f
(Conference)3600 2014 w
10 R f
( \(1988\).)1 324( Dallas)1 321(, ,)1 83 3 4060 2014 t
( Wiley Hacker,'')2 760( Stoll, ``Stalking the)3 941(Stol88. C.)1 495 3 3384 2157 t
10 I f
(Communications of the ACM)3 1191 1 3600 2267 t
10 B f
(31)4824 2267 w
10 R f
(\(5\) p. 484 \(May)3 656 1 4924 2267 t
(1988\).)3600 2377 w
( Voydock and S.T. Kent, ``Security)5 1550(Voyd83. V.L.)1 646 2 3384 2520 t
( Network Proto-)2 767(Mechanisms in High-Level)2 1213 2 3600 2630 t
(cols,'')3600 2740 w
10 I f
(ACM Computer Surveys)2 1021 1 3902 2740 t
10 B f
(15)4973 2740 w
10 R f
( 135-)1 233(\(2\) pp.)1 274 2 5073 2740 t
(171 \(June, 1983\).)2 715 1 3600 2850 t
5580 2982 4788 2982 Dl
5580 4090 5580 2982 Dl
4788 4090 5580 4090 Dl
4788 2982 4788 4090 Dl
(Steven M. Bellovin received a)4 1332 1 3384 3070 t
( Columbia)1 492(B.A. degree from)2 840 2 3384 3180 t
(University, and an M.S. and)4 1332 1 3384 3290 t
( Science)1 416(Ph.D. in Computer)2 916 2 3384 3400 t
( of North)2 454(from the University)2 878 2 3384 3510 t
( While)1 321( Chapel Hill.)2 552(Carolina at)1 459 3 3384 3620 t
( wrote the)2 423(a graduate student, he)3 909 2 3384 3730 t
(original version of)2 868 1 3384 3840 t
10 I f
(pathalias)4343 3840 w
10 R f
(and helped create)2 873 1 3384 3950 t
10 I f
(netnews)4369 3950 w
10 R f
(.)4691 3950 w
(However, the former is not an)5 1332 1 3384 4060 t
(indictable offense, and the)3 1332 1 3384 4170 t
(statute of limitations on the latter has expired.)7 2196 1 3384 4280 t
( He)1 185( both actions.)2 558(Nevertheless, he is still atoning for)5 1453 3 3384 4390 t
( Laboratories since 1982,)3 1120(has been at AT&T Bell)4 1076 2 3384 4500 t
( and)1 199(where he does research in networks, security,)6 1997 2 3384 4610 t
( may be reached)3 725( He)1 199( don't get along.)3 730(why the two)2 542 4 3384 4720 t
(electronically as)1 687 1 3384 4830 t
10 CW f
(smb@ulysses.att.com)4132 4830 w
10 R f
(; those)1 300 1 5280 4830 t
( paper)1 258(who prefer to murder trees may send scraps of)8 1938 2 3384 4940 t
( Bell Laboratories, 600)3 1026(to Room 3C-536B, AT&T)3 1170 2 3384 5050 t
( U.S.A.)1 308( 07974,)1 341(Mountain Avenue, Murray Hill, NJ)4 1447 3 3384 5160 t
5580 5292 4788 5292 Dl
5580 6400 5580 5292 Dl
4788 6400 5580 6400 Dl
4788 5292 4788 6400 Dl
(Michael Merritt received a B.S.)4 1332 1 3384 5380 t
( an)1 161(from Yale University, and)3 1171 2 3384 5490 t
( in Information)2 659(M.S. and Ph.D.)2 673 2 3384 5600 t
( from the)2 398(and Computer Science)2 934 2 3384 5710 t
(Georgia Institute of Technol-)3 1332 1 3384 5820 t
( dissertation,)1 535(ogy. His)1 396 2 3384 5930 t
10 S1 f
(")4364 5930 w
10 R f
(Crypto-)4405 5930 w
(graphic Protocols)1 767 1 3384 6040 t
10 S1 f
(")4151 6040 w
10 R f
(, developed)1 524 1 4192 6040 t
( secu-)1 276(techniques for exploring)2 1056 2 3384 6150 t
( of distributed)2 699(rity properties)1 633 2 3384 6260 t
( at)1 157( has been)2 489(algorithms. He)1 686 3 3384 6370 t
( Laboratories since)2 831(AT&T Bell)1 501 2 3384 6480 t
( in distributed systems)3 952(1983, where he does research)4 1244 2 3384 6590 t
( email address is)3 1158( His)1 362(and security.)1 676 3 3384 6700 t
10 CW f
(mischu@research.att.com)3384 6810 w
10 R f
( to Room)2 481(; paper)1 327 2 4772 6810 t
( Mountain)1 460(3D-458, AT&T Bell Laboratories, 600)4 1736 2 3384 6920 t
( U.S.A.)1 308( 07974,)1 401(Avenue, Murray Hill, NJ)3 1025 3 3384 7030 t
10 B f
(USENIX)900 7450 w
10 S1 f
(\261)1311 7450 w
10 B f
(Winter '91)1 471 1 1409 7450 t
10 S1 f
(\261)1913 7450 w
10 B f
( 15)1 3105(Dallas, TX)1 464 2 2011 7450 t
cleartomark
showpage
restore
%%EndPage: 15 15
%%Page: 16 16
save
mark
16 pagesetup
10 B f
(16 USENIX)1 3483 1 540 7450 t
10 S1 f
(\261)4056 7450 w
10 B f
(Winter '91)1 471 1 4154 7450 t
10 S1 f
(\261)4658 7450 w
10 B f
(Dallas, TX)1 464 1 4756 7450 t
cleartomark
showpage
restore
%%EndPage: 16 16
%%Trailer
done
%%Pages: 16