1996-02-20 - breakable session keys in Kerberos v4

Header Data

From: asantos@retesa.es (Agustin Santos Mendez)
To: nelson@santafe.edu>
Message Hash: e8d9fda27fb4dd81c4780bf60dce0721bec39719f95462e3e740285f2c192b07
Message ID: <9602201400.AA00692@sun2.retesa.es>
Reply To: N/A
UTC Datetime: 1996-02-20 13:35:59 UTC
Raw Date: Tue, 20 Feb 1996 21:35:59 +0800

Raw message

From: asantos@retesa.es (Agustin Santos Mendez)
Date: Tue, 20 Feb 1996 21:35:59 +0800
To: nelson@santafe.edu>
Subject: breakable session keys in Kerberos v4
Message-ID: <9602201400.AA00692@sun2.retesa.es>
MIME-Version: 1.0
Content-Type: text/plain


Se han encontrado huecos en Kerberos v4. Aqui teneis la informacion:

>Return-Path: <owner-cypherpunks@toad.com>
>Received: from control (controli.retesa.es) by sun2.retesa.es (5.x/SMI-SVR4)
>	id AA01592; Tue, 20 Feb 1996 09:59:01 GMT
>Received: by control (SMI-8.6/SMI-SVR4)
>	id DAA19612; Tue, 20 Feb 1996 03:02:47 -0800
>Received: from relay3.uu.net(192.48.96.8) by control via smap (V1.3)
>	id sma019610; Tue Feb 20 03:02:35 1996
>Received: from toad.com by relay3.UU.NET with SMTP 
>	id QQadse08697; Tue, 20 Feb 1996 04:01:50 -0500 (EST)
>Received: by toad.com id AA24982; Tue, 20 Feb 96 00:28:15 PST
>Received: from sfi.santafe.edu by toad.com id AA24976; Tue, 20 Feb 96
00:28:11 PST
>Received: from nelson.santafe.edu by sfi.santafe.edu (4.1/SMI-4.1)
>	id AA02389; Tue, 20 Feb 96 01:24:08 MST
>Received: (from nelson@localhost) by nelson.santafe.edu (8.7.1/8.7.1) id
BAA21074; Tue, 20 Feb 1996 01:28:01 -0700
>Date: Tue, 20 Feb 1996 01:28:01 -0700
>Message-Id: <199602200828.BAA21074@nelson.santafe.edu>
>From: Nelson Minar <nelson@santafe.edu>
>To: cypherpunks@toad.com
>Subject: breakable session keys in Kerberos v4
>Sender: owner-cypherpunks@toad.com
>Precedence: bulk
>Content-Type: text
>Status: O
>
>I'm a bit suprised this hasn't turned up yet on Cypherpunks.  A couple
>of forwarded messages: first, an announcement made Fri Feb 16 by Gene
>Spafford at COAST about an exploitable flaw they've found in Kerberos,
>and then a comment on the www-security list that it is due to a bad
>random number generator. Same old story!
>
>The message (lifted from the COAST web site)
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Personnel at the COAST Laboratory (Computer Operations, Audit, and
>Security Technology) at Purdue University have discovered a
>vulnerability in current versions of the Kerberos security system.
>Graduate students Steve Lodin and Bryn Dole, working with Professor
>Eugene Spafford, have discovered a method whereby someone without
>privileged access to most implementations of a Kerberos 4 server can
>nonetheless break secret session keys issued to users.  This means that
>it is possible to gain unauthorized access to distributed services
>available to a user without knowing that user's password. This method
>has been demonstrated to work in under 1 minute, on average, using a
>typical workstation, and sometimes as quickly as 1/5 second.
>
>The Kerberos system was developed at MIT in the mid-1980s, and has
>been widely adopted for security in distributed systems worldwide.
>Kerberos is most often used on UNIX platforms by various vendors, and
>is often enhanced, sold and supported by 3rd-party vendors for use in
>academic, government, and commercial environments.
>
>The same researchers at COAST have also found a small, theoretical
>weakness in Kerberos version 5 that would allow similar access, given
>some additional information and considerable preliminary computation.
>Kerberos version 5 does not exhibit the same weakness as described
>above for Kerberos version 4.
>
>The researchers at COAST had intended to release the specific details
>of the problem to affected vendors and incident response teams during
>the week of February 19, prior to making a public announcement of
>their findings.  However, as rumors have begun to circulate and
>several representatives of the news media have apparently received
>indication of the problem, we are releasing this preliminary
>announcement at this time.
>
>Government and industry sponsors of the COAST Laboratory were made
>aware of the preliminary details of these findings in January (full
>sponsors receive early notification of significant discoveries as a
>result of COAST research).  Other affiliates of COAST as well as the
>world-wide network of FIRST computer incident response teams were made
>aware of the general nature of the findings during the week of
>February 5.  The original plan at COAST was to release specific
>details only to FIRST (Forum of Incident Response and Security Teams)
>teams and to MIT prior to announcement by affected vendors of a fix
>for these weaknesses.  The flaw in Kerberos version 4 is significant
>enough that disclosure of its details prior to a fix would allow
>someone with moderate programming skills to exploit it; there is
>currently no reason to believe that others know the details of the
>flaw and are exploiting it, so there is no immediate danger to the
>public that would warrant release of the details at this time.
>
>COAST personnel have been informed that MIT has already developed a
>fix for the flaw in version 4 Kerberos and is preparing it for
>release.  Additionally, COAST researchers are cooperating with MIT
>personnel to identify what (if any) fixes are necessary for version 5
>Kerberos. Users of either version of Kerberos should contact their
>vendors for details of any fixes that may be made available; vendors
>of products incorporating Kerberos should contact MIT directly for
>details of the problems and fixes.
>
>COAST is a research group of faculty and students dedicated to
>research into information security and computer crime investigation,
>and education in computer and network security.  It is the largest
>such university-based group in the United States.
>
>Information on COAST may be found on the WWW at
>  http://www.cs.purdue.edu/coast
>Information on FIRST teams may be found on the WWW at
>  http://www.first.org
>Information on MIT's Kerberos may be found on the WWW at
>  ftp://athena-dist.mit.edu/pub/kerberos/doc/KERBEROS.FAQ
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>Comment: Key @ ftp://ftp.cs.purdue.edu/pub/spaf/pers/pgpkey.asc
>
>iQCVAwUBMSZ42cpvK4P8DALVAQHg8QP/TRmqwP7vG32aaBjvbMof2iuVQ2bcWrg9
>p55KN5wBfrBzxq5/NE+6lodkqq2w1ib8q/47uYT1S8iR+z2tnbvL64dxrtDEh4iY
>iEWjfpTMtQxLmZ1gA3Sxxn4A+6KwlXq5z4Lp2BROUXyeSR7HPAEeEQucRNWkzz8o
>IOMHuBAcBKo=
>=yWxe
>-----END PGP SIGNATURE-----
>
>(a comment I found in reply)
>
>------- Start of forwarded message -------
>From: jis@mit.edu (Jeffrey I. Schiller)
>Subject: Re: Kerberos Vulnerability
>Newsgroups: hks.lists.www-security
>Date: 19 Feb 1996 21:42:08 -0500
>Organization: HKS, Inc.
>Path: hks.net!news-mail-gateway!owner-www-security
>Lines: 8
>Sender: root@hks.net
>Message-ID: <ad4e9fc40602100421be@[18.162.1.1]>
>NNTP-Posting-Host: bb.hks.net
>
>There will be a fix distributed by MIT later this week. The problem is that
>the random number generator in V4 is worse then we thought! The fix is to
>retrofit the V5 generator (which is decent) into the V4 KDC. Note: Only the
>KDC needs to be updated, clients and servers are unaffected.
>
>                                -Jeff
>
>
>------- End of forwarded message -------
>
>
Agustín Santos Méndez,            RETESA, S.A.
C/Orense 4, Planta 10. 28020 MADRID SPAIN.
Ph: +34.1.342.67.91                     Fax +34.1.597.28.77
E-mail: asantos@retesa.es   







Thread