This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: The Perils of Unauthenticated Encryption: Kerberos Version 4 * Tom Yu Sam Hartman Kenneth Raeburn Massachusetts Institute of Technology Abstract Version 4 of the widely deployed Kerberos authentica- tion protocol encrypts essential information without ade- quate authentication. We have implemented an efficient chosen-plaintext attack that uses this design flaw to im- personate arbitrary principals. Related flaws exist in ver- sion 5 of the protocol. We discuss the mistakes in the design of the protocol that contribute to these vulnerabil- ities, and how to avoid making them. We identify correc- tive measures taken in the proposed revisions to version 5, which repair these flaws. 1. Introduction The dangers of unauthenticated encryption are well known [6, 7, 8, 13, 20, 22, 39]. Although most cryp- tographic attacks focus on recovering a plaintext or a key, a more powerful attack is to forge a ciphertext that de- crypts to a desired plaintext, particularly when attacking an authentication system. This sort of forgery is often far more dangerous than a breach of confidentiality; it is far more useful to become someone than to merely know what someone said once. Consider a transaction in a hypothetical banking proto- col in which Alice instructs her bank to send $100 to Bob. An eavesdropper Eve will probably not be that interested in reading such a message. On the other hand, Eve will probably find it much more useful to modify the message so that Alice appears to have instructed the bank to send $100 to Eve. Even more devastating is for Eve to have the capability to impersonate Alice, so that Eve need not mod- ify an existing message that Alice sends. Authentication is usually more important than confidentiality. Kerberos version 4 [28, 37] has a critical authentication vulnerability which allows an attacker to impersonate ar- bitrary principals. This vulnerability results from multiple design errors. Additional flaws in MIT’s implementation of version 4 enable additional attacks. The current spec- ification of Kerberos version 5, Internet RFC 1510 , fixes some flaws in version 4, though it too has some * An unauthorized copy of an earlier version of this paper appeared on email@example.com in March 2003. vulnerabilities. Ongoing work on the specification of ver- sion 5 repairs even those flaws. Despite the progress made in updating the Kerberos protocol, version 4 remains in widespread use, and that fact illustrates that protocols have a longer life than their designers might anticipate. Kerberos version 4 uses unauthenticated encryption for essential authentication information. This allows an at- tacker to forge credentials impersonating arbitrary prin- cipals by using an adaptive chosen-plaintext attack as an encryption oracle. We have successfully implemented a startlingly efficient attack based on this oracle: O ( n ) or- acle queries are needed to forge a credential ciphertext n blocks long. The attack is sufficiently inexpensive that itsblocks long....
View Full Document
- Fall '09
- Computer Networks