Re: NSA backdoor risks in Kerberos

2014-04-02 Thread Tom Yu 
d...@geer.org writes:

>  > Has there been a technical writeup of potential backdoor risks in 
>  > Kerberos, similar to the stuff that keeps coming out about various RSA 
>  > products:
>
> negative

In contrast, there is some published research showing that the
cryptographic constructs used in modern versions of the Kerberos
protocol are (somewhat surprisingly) provably secure:

http://www.cc.gatech.edu/~aboldyre/papers/kerberos.pdf

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: NSA backdoor risks in Kerberos

2014-04-02 Thread dan 

 > Has there been a technical writeup of potential backdoor risks in 
 > Kerberos, similar to the stuff that keeps coming out about various RSA 
 > products:

negative

--dan


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: NSA backdoor risks in Kerberos

2014-04-02 Thread Nico Williams 
On Wed, Apr 2, 2014 at 1:10 AM, Chris Hecker  wrote:
> I hope this won't turn into a giant thread, I'm just looking for some
> succinct facts and/or links to thoughtful discussion, I'm not interested
> in a bunch of opinions or a flame war or anything like that, and I don't
> think that'd be appropriate for this list or help anybody.  But here goes:
>
> Has there been a technical writeup of potential backdoor risks in
> Kerberos, similar to the stuff that keeps coming out about various RSA
> products:
>
> http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

Kerberos doesn't have large-enough nonces for a Dual_EC-style attack.

Kerberos isn't used on a large enough scale to be worth backdooring.
Any backdoor is likely to be found only in implementations, not the
protocol on account of backdooring protocols being a difficult and
risky task.

Nico
--

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: Distributed Kerberos5? Fwd: NSA backdoor risks in Kerberos

2014-04-02 Thread Russ Allbery 
Wang Shouhua  writes:
> On 2 April 2014 20:45, Russ Allbery  wrote:

>> With Kerberos, it's always worth being aware that it's a trusted
>> central authentication system.

> Isn't there a distributed version of Kerberos5 which avoids this
> problem?

Trusted third party is inherent in the Kerberos protocol, and indeed
inherent in Needham-Schroeder.  If it didn't use trusted third party, it
wouldn't be Kerberos, it would be something else.

-- 
Russ Allbery (ea...@eyrie.org)  

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Distributed Kerberos5? Fwd: NSA backdoor risks in Kerberos

2014-04-02 Thread Wang Shouhua 
On 2 April 2014 20:45, Russ Allbery  wrote:
> Benjamin Kaduk  writes:
>
>> The core kerberos protocol itself is pretty well-analyzed, and unlikely
>> to have been backdoored.  There could potentially be issues with the
>> crypto primitives used by a particular Kerberos implementation or
>> encryption type (e.g., PRNG, block cipher, and hash function), but such
>> issues would have much broader consequences than just kerberos.  AES is
>> probably fine, but, say, the md4 hash function used in arcfour-hmac's
>> string-to-key is not so good, and as mentioned already RFC 6649
>> deprecates some weak enctypes.
>
> With Kerberos, it's always worth being aware that it's a trusted central
> authentication system.

Isn't there a distributed version of Kerberos5 which avoids this problem?

Wang
-- 
Wang Shouhua - shouh...@gmail.com
中华人民共和国科学技术部 - HTTP://WWW.MOST.GOV.CN


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: NSA backdoor risks in Kerberos

2014-04-02 Thread Russ Allbery 
Benjamin Kaduk  writes:

> The core kerberos protocol itself is pretty well-analyzed, and unlikely
> to have been backdoored.  There could potentially be issues with the
> crypto primitives used by a particular Kerberos implementation or
> encryption type (e.g., PRNG, block cipher, and hash function), but such
> issues would have much broader consequences than just kerberos.  AES is
> probably fine, but, say, the md4 hash function used in arcfour-hmac's
> string-to-key is not so good, and as mentioned already RFC 6649
> deprecates some weak enctypes.

With Kerberos, it's always worth being aware that it's a trusted central
authentication system.  A compromise of the KDC is a total compromise of
the realm, and the compromise doesn't have to be active.  All you need is
a copy of the keys, and then you can basically do anything you want in a
way that's extremely hard to detect.

If I were a sophisticated attacker who was attempting to compromise a
Kerberos infrastructure, I wouldn't attack the crypto.  I'd backdoor the
KDC using any of the many tools available for compromising a single
system.  In most situations, that would be substantially easier than
attacking the crypto and harder to detect afterwards.

-- 
Russ Allbery (ea...@eyrie.org)  

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: NSA backdoor risks in Kerberos

2014-04-02 Thread Benjamin Kaduk 
On Tue, 1 Apr 2014, Chris Hecker wrote:

>
> I hope this won't turn into a giant thread, I'm just looking for some
> succinct facts and/or links to thoughtful discussion, I'm not interested
> in a bunch of opinions or a flame war or anything like that, and I don't
> think that'd be appropriate for this list or help anybody.  But here goes:
>
> Has there been a technical writeup of potential backdoor risks in
> Kerberos, similar to the stuff that keeps coming out about various RSA
> products:

I'm unaware of a writeup.

The core kerberos protocol itself is pretty well-analyzed, and unlikely to 
have been backdoored.  There could potentially be issues with the crypto 
primitives used by a particular Kerberos implementation or encryption type 
(e.g., PRNG, block cipher, and hash function), but such issues would have 
much broader consequences than just kerberos.  AES is probably fine, but, 
say, the md4 hash function used in arcfour-hmac's string-to-key is not so 
good, and as mentioned already RFC 6649 deprecates some weak enctypes.

There are various extensions to the Kerberos protocol which may have 
received less analysis than the core protocol; I have not attempted to 
survey the literature.

-Ben Kaduk

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: NSA backdoor risks in Kerberos

2014-04-02 Thread Albert Lunde 
On 4/2/2014 1:10 AM, Chris Hecker wrote:
> Has there been a technical writeup of potential backdoor risks in
> Kerberos, similar to the stuff that keeps coming out about various RSA
> products:

The weak legacy algorithms listed in RFC 6649 could well be a 
vulnerability that wouldn't require a backdoor in the protocol as such.


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

NSA backdoor risks in Kerberos

2014-04-01 Thread Chris Hecker 

I hope this won't turn into a giant thread, I'm just looking for some 
succinct facts and/or links to thoughtful discussion, I'm not interested 
in a bunch of opinions or a flame war or anything like that, and I don't 
think that'd be appropriate for this list or help anybody.  But here goes:

Has there been a technical writeup of potential backdoor risks in 
Kerberos, similar to the stuff that keeps coming out about various RSA 
products:

http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

Thanks,
Chris


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos