kerberos - The Perils of Unauthenticated Encryption:...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: The Perils of Unauthenticated Encryption: Kerberos Version 4 * Tom Yu Sam Hartman Kenneth Raeburn Massachusetts Institute of Technology Abstract Version 4 of the widely deployed Kerberos authentica- tion protocol encrypts essential information without ade- quate authentication. We have implemented an efficient chosen-plaintext attack that uses this design flaw to im- personate arbitrary principals. Related flaws exist in ver- sion 5 of the protocol. We discuss the mistakes in the design of the protocol that contribute to these vulnerabil- ities, and how to avoid making them. We identify correc- tive measures taken in the proposed revisions to version 5, which repair these flaws. 1. Introduction The dangers of unauthenticated encryption are well known [6, 7, 8, 13, 20, 22, 39]. Although most cryp- tographic attacks focus on recovering a plaintext or a key, a more powerful attack is to forge a ciphertext that de- crypts to a desired plaintext, particularly when attacking an authentication system. This sort of forgery is often far more dangerous than a breach of confidentiality; it is far more useful to become someone than to merely know what someone said once. Consider a transaction in a hypothetical banking proto- col in which Alice instructs her bank to send $100 to Bob. An eavesdropper Eve will probably not be that interested in reading such a message. On the other hand, Eve will probably find it much more useful to modify the message so that Alice appears to have instructed the bank to send $100 to Eve. Even more devastating is for Eve to have the capability to impersonate Alice, so that Eve need not mod- ify an existing message that Alice sends. Authentication is usually more important than confidentiality. Kerberos version 4 [28, 37] has a critical authentication vulnerability which allows an attacker to impersonate ar- bitrary principals. This vulnerability results from multiple design errors. Additional flaws in MIT’s implementation of version 4 enable additional attacks. The current spec- ification of Kerberos version 5, Internet RFC 1510 [23], fixes some flaws in version 4, though it too has some * An unauthorized copy of an earlier version of this paper appeared on full-disclosure@lists.netsys.com in March 2003. vulnerabilities. Ongoing work on the specification of ver- sion 5 repairs even those flaws. Despite the progress made in updating the Kerberos protocol, version 4 remains in widespread use, and that fact illustrates that protocols have a longer life than their designers might anticipate. Kerberos version 4 uses unauthenticated encryption for essential authentication information. This allows an at- tacker to forge credentials impersonating arbitrary prin- cipals by using an adaptive chosen-plaintext attack as an encryption oracle. We have successfully implemented a startlingly efficient attack based on this oracle: O ( n ) or- acle queries are needed to forge a credential ciphertext n blocks long. The attack is sufficiently inexpensive that itsblocks long....
View Full Document

Page1 / 10

kerberos - The Perils of Unauthenticated Encryption:...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online