From: Nelson Minar <nelson@santafe.edu>
Date: Tue, 20 Feb 1996 17:20:53 +0800
To: cypherpunks@toad.com
Subject: breakable session keys in Kerberos v4
Message-ID: <199602200828.BAA21074@nelson.santafe.edu>
MIME-Version: 1.0
Content-Type: text/plain


I'm a bit suprised this hasn't turned up yet on Cypherpunks.  A couple
of forwarded messages: first, an announcement made Fri Feb 16 by Gene
Spafford at COAST about an exploitable flaw they've found in Kerberos,
and then a comment on the www-security list that it is due to a bad
random number generator. Same old story!

The message (lifted from the COAST web site)
-----BEGIN PGP SIGNED MESSAGE-----

Personnel at the COAST Laboratory (Computer Operations, Audit, and
Security Technology) at Purdue University have discovered a
vulnerability in current versions of the Kerberos security system.
Graduate students Steve Lodin and Bryn Dole, working with Professor
Eugene Spafford, have discovered a method whereby someone without
privileged access to most implementations of a Kerberos 4 server can
nonetheless break secret session keys issued to users.  This means that
it is possible to gain unauthorized access to distributed services
available to a user without knowing that user's password. This method
has been demonstrated to work in under 1 minute, on average, using a
typical workstation, and sometimes as quickly as 1/5 second.

The Kerberos system was developed at MIT in the mid-1980s, and has
been widely adopted for security in distributed systems worldwide.
Kerberos is most often used on UNIX platforms by various vendors, and
is often enhanced, sold and supported by 3rd-party vendors for use in
academic, government, and commercial environments.

The same researchers at COAST have also found a small, theoretical
weakness in Kerberos version 5 that would allow similar access, given
some additional information and considerable preliminary computation.
Kerberos version 5 does not exhibit the same weakness as described
above for Kerberos version 4.

The researchers at COAST had intended to release the specific details
of the problem to affected vendors and incident response teams during
the week of February 19, prior to making a public announcement of
their findings.  However, as rumors have begun to circulate and
several representatives of the news media have apparently received
indication of the problem, we are releasing this preliminary
announcement at this time.

Government and industry sponsors of the COAST Laboratory were made
aware of the preliminary details of these findings in January (full
sponsors receive early notification of significant discoveries as a
result of COAST research).  Other affiliates of COAST as well as the
world-wide network of FIRST computer incident response teams were made
aware of the general nature of the findings during the week of
February 5.  The original plan at COAST was to release specific
details only to FIRST (Forum of Incident Response and Security Teams)
teams and to MIT prior to announcement by affected vendors of a fix
for these weaknesses.  The flaw in Kerberos version 4 is significant
enough that disclosure of its details prior to a fix would allow
someone with moderate programming skills to exploit it; there is
currently no reason to believe that others know the details of the
flaw and are exploiting it, so there is no immediate danger to the
public that would warrant release of the details at this time.

COAST personnel have been informed that MIT has already developed a
fix for the flaw in version 4 Kerberos and is preparing it for
release.  Additionally, COAST researchers are cooperating with MIT
personnel to identify what (if any) fixes are necessary for version 5
Kerberos. Users of either version of Kerberos should contact their
vendors for details of any fixes that may be made available; vendors
of products incorporating Kerberos should contact MIT directly for
details of the problems and fixes.

COAST is a research group of faculty and students dedicated to
research into information security and computer crime investigation,
and education in computer and network security.  It is the largest
such university-based group in the United States.

Information on COAST may be found on the WWW at
  http://www.cs.purdue.edu/coast
Information on FIRST teams may be found on the WWW at
  http://www.first.org
Information on MIT's Kerberos may be found on the WWW at
  ftp://athena-dist.mit.edu/pub/kerberos/doc/KERBEROS.FAQ

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Key @ ftp://ftp.cs.purdue.edu/pub/spaf/pers/pgpkey.asc

iQCVAwUBMSZ42cpvK4P8DALVAQHg8QP/TRmqwP7vG32aaBjvbMof2iuVQ2bcWrg9
p55KN5wBfrBzxq5/NE+6lodkqq2w1ib8q/47uYT1S8iR+z2tnbvL64dxrtDEh4iY
iEWjfpTMtQxLmZ1gA3Sxxn4A+6KwlXq5z4Lp2BROUXyeSR7HPAEeEQucRNWkzz8o
IOMHuBAcBKo=
=yWxe
-----END PGP SIGNATURE-----

(a comment I found in reply)

------- Start of forwarded message -------
From: jis@mit.edu (Jeffrey I. Schiller)
Subject: Re: Kerberos Vulnerability
Newsgroups: hks.lists.www-security
Date: 19 Feb 1996 21:42:08 -0500
Organization: HKS, Inc.
Path: hks.net!news-mail-gateway!owner-www-security
Lines: 8
Sender: root@hks.net
Message-ID: <ad4e9fc40602100421be@[18.162.1.1]>
NNTP-Posting-Host: bb.hks.net

There will be a fix distributed by MIT later this week. The problem is that
the random number generator in V4 is worse then we thought! The fix is to
retrofit the V5 generator (which is decent) into the V4 KDC. Note: Only the
KDC needs to be updated, clients and servers are unaffected.

                                -Jeff


------- End of forwarded message -------