Path: utzoo!attcan!uunet!lll-winken!ncis.tis.llnl.gov!helios.ee.lbl.gov!pasteur!ucbvax!agate!shelby!MITVMA.MIT.EDU!tmal%CL.CAM.AC.UK From: tmal%CL.CAM.AC.UK@MITVMA.MIT.EDU (Mark Lomas) Newsgroups: comp.protocols.kerberos Subject: Re: Distinguishing "users" and "services" Message-ID: <8905091938.aa20395@scaup.Cl.Cam.AC.UK> Date: 9 May 89 18:04:24 GMT Sender: daemon@shelby.Stanford.EDU Organization: The Internet Lines: 39 In a recent message, Steve Miller commented: > The original assumption of Kerberos was not to worry about cryptanalysis, > and I believe that still holds. Despite much criticism of DES, after ten > years there is still no public evidence of vulnerability to cryptanalysis > or any other attack other than brute force. (Maybe NSA and the KGB have > special engines to break it.) So I wouldn't introduce any additional > complexity, user or administrative burden to address cryptanalysis threats. The most important distinction between users and services, from the point of view of security, is that users are notoriously bad at choosing passwords. In an environment which has moderate security requirements, rather than those of military establishments, the DES algorithm is probably adequate for the moment. Provided all keys are well chosen an attacker is unlikely to be able to discover the values of those keys by cryptographic means. I would emphasise the phrase `provided all keys are well chosen'; the DES algorithm is not suitable for encrypting known-plaintext with user chosen keys. In designing an authentication protocol you should be more realistic. Breaking a user chosen key is far easier because a brute-force search doesn't have to test all 256 key values. For example the password scheme supplied with UNIX encrypts known-plaintext using a slight modification of the DES algorithm. It then encrypts the ciphertext using the same key repeatedly until a total of 25 encryptions have been performed. A brute-force search lasting one afternoon determined 10% of the passwords in use at this site; this search was possible because the keys were user chosen, not because the DES algorithm was used. The Kerberos protocol has neither of the features of the UNIX password scheme which were intended to slow down searches so I would assert that searching should be even faster. Do not underestimate the processing resources which an undergraduate could use to determine passwords. I agree whole-heartedly with the suggestion that users and services should be treated differently. Mark Lomas (tmal@cl.cam.ac.uk) University of Cambridge Computer Laboratory