To: kerberos@MIT.EDU
Date: 17 Feb 1996 17:04:29 -0500
From: pauld@umbc.edu (Paul Danckaert)

I am somewhat concerned about this.. does anybody have any more information
on the extent of the problems here, or the status on any bug-fixes?

paul

------------------------------------------------------------------------------

From: COAST <coast-request@cs.purdue.edu>
To: COAST Watch <important-people@cs.purdue.edu>
Date: Fri, 16 Feb 1996 20:09:36 -0500 (EST)

We were going to announce this later, but events have changed that.
Please don't contact us asking for the gory details -- we'll be
releasing a paper on this after MIT and the vendors publish their
fix(es).

--spaf

-----BEGIN PGP SIGNED MESSAGE-----

Personnel at the COAST Laboratory (Computer Operations, Audit, and
Security Technology) at Purdue University have discovered some
unexepected weaknesses in the Kerberos security system.  Graduate
students Steve Lodin and Bryn Dole, working with Professor Eugene
Spafford, have discovered a method whereby someone without privileged
access to most implementations of a Kerberos 4 server can nonetheless
break secret session keys issued to users.  This means that it is
possible to gain unauthorized access to distributed services available
to a user without knowing that user's password. This method has been
demonstrated to work in under 5 minutes, on average, using a typical
workstation, and sometimes as quickly as 12 seconds.

The Kerberos system was developed at MIT in the mid-1980s, and has
been widely adopted for security in distributed systems worldwide.
Kerberos is most often used on UNIX platforms by various vendors, and
is often enhanced, sold and supported by 3rd-party vendors for use in
academic, government, and commercial environments.

The same researchers at COAST have also found a small, theoretical
weakness in Kerberos version 5 that would allow similar access, given
some additional information and considerable preliminary computation.
Kerberos version 5 does not exhibit the same weakness as described
above for Kerberos version 4.

The researchers at COAST had intended to release the specific details
of the problem to affected vendors and incident response teams during
the week of February 19, prior to making a public announcement of
their findings.  However, as rumors have begun to circulate and
several representatives of the news media have apparently received
indication of the problem, we are releasing this preliminary
announcement at this time.

Government and industry sponsors of the COAST Laboratory were made
aware of the preliminary details of these findings in January (full
sponsors receive early notification of significant discoveries as a
result of COAST research).  Other affiliates of COAST as well as the
world-wide network of FIRST computer incident response teams were made
aware of the general nature of the findings during the week of
February 5.  The original plan at COAST was to release specific
details only to FIRST (Forum of Incident Response and Security Teams)
teams and to MIT prior to announcement by affected vendors of a fix
for these weaknesses.  The flaw in Kerberos version 4 is significant
enough that disclosure of its details prior to a fix would allow
someone with moderate programming skills to exploit it; there is
currently no reason to believe that others know the details of the
flaw and are exploiting it, so there is no immediate danger to the
public that would warrant release of the details at this time.

COAST personnel have been informed that MIT has already developed a
fix for the flaw in version 4 Kerberos and is preparing it for
release.  Additionally, COAST researchers are cooperating with MIT
personnel to identify what (if any) fixes are necessary for version 5
Kerberos. Users of either version of Kerberos should contact their
vendors for details of any fixes that may be made available; vendors
of products incorporating Kerberos should contact MIT directly for
details of the problems and fixes.

COAST is a research group of faculty and students dedicated to
research into information security and computer crime investigation,
and education in computer and network security.  It is the largest
such university-based group in the United States.

Information on COAST may be found on the WWW at
  http://www.cs.purdue.edu/coast
Information on FIRST teams may be found on the WWW at
  http://www.first.org
Information on MIT's Kerberos may be found on the WWW at
  ftp://athena-dist.mit.edu/pub/kerberos/doc/KERBEROS.FAQ

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Key @ ftp://ftp.cs.purdue.edu/pub/spaf/pers/pgpkey.asc

iQCVAwUBMSUnIspvK4P8DALVAQFhEwP6Aojp7tclxnOcodaY6st4Ej2UUglWqEyb
aFMl+WeNWSnC/HR0S/Jjxya/jLsEnXBn38EwplAl102HvbY68MLv08WnBdnejUYZ
kCCtQ2mTsuC8L3YNYOqI/8P5y8vNx9s7pytHP0GczBA/vxuXvUOf6m976lIjleqn
6ZLnOM2CHjc=
=K1IP
-----END PGP SIGNATURE-----


------- End of Forwarded Message

--

To: kerberos@MIT.EDU
Date: 17 Feb 1996 17:17:18 -0500
From: swlodin@cs.purdue.edu (Steve Lodin)


In article <4g5jdd$iv4@umbc7.umbc.edu>, pauld@umbc.edu (Paul Danckaert) writes:
> I am somewhat concerned about this.. does anybody have any more information
> on the extent of the problems here, or the status on any bug-fixes?
> 

Contact your Kerberos vendor or MIT for fixes.  Further details will be
released later.

My first suggestion is don't use any kerberos based on MIT Kerberos
Version 4 for military-grade security requirements.

Steve
-- 
Steve Lodin 
Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin
Delco Electronics - swlodin@delcoelect.com (317)451-0479 
Home - swlodin@iquest.net http://www.iquest.net/~swlodin/

To: kerberos@MIT.EDU
Date: 18 Feb 1996 11:22:41 -0500
From: spaf@cs.purdue.edu (Gene Spafford)

In article <4g5k5e$21c@narnia.cs.purdue.edu> 
swlodin@cs.purdue.edu (Steve Lodin) writes:

   My first suggestion is don't use any kerberos based on MIT Kerberos
   Version 4 for military-grade security requirements.

Let me add to Steve's comments in a few ways:
  1) If we use a fast machine, like a DEC Alpha, we can get the
session keys for an active user in (effectively) real-time: average
time is less than 6 seconds per key.

  2) This problem appears to have been in MIT Kerberos version 4 for
years, and possibly since the initial release.  The Cygnus release
include alterations to MIT's code that make the problem somewhat
worse.  We haven't examined any other releases of code, so we can't
comment on whether it is present in other releases, but we assume it
is.

  3) There is no evidence that this is widely known or being actively
exploited.  Given #1 and #2 above, if it were known, you can bet we
all would have heard about it by now.

  4) MIT has a reasonable fix in preparation for Kerberos 4.  It is a
small change in the source. It is easy to put in place.

  5) The attack against Kerberos 5 appears to be of theoretical
interest only, as it requires extensive computational resources to
exploit.  In any event, I have discussed a fix for this with Ted Ts'o
and there are several ways to eliminate the threat, at least one of
which is likely to be included in future releases of version 5.

  6) There is no #6.

  7) Even when the vulnerability we found is fixed, there are still
weaknesses in Kerberos, and especially Kerberos 4, that can be
exploited.  It is better than passwords in most cases, but it is not a
panacea.

  8) We hope to have the paper available for general release as a tech
report within two weeks after the announcement of the fix.

To: kerberos@MIT.EDU
Date: 18 Feb 1996 17:59:29 GMT
From: jik@annex-1-slip-jik.cam.ov.com (Jonathan Kamens)

In article <w13f8861ta.fsf@uther.cs.purdue.edu>, 
spaf@cs.purdue.edu (Gene Spafford) writes:
|>   5) The attack against Kerberos 5 appears to be of theoretical
|> interest only, as it requires extensive computational resources to
|> exploit.  In any event, I have discussed a fix for this with Ted Ts'o
|> and there are several ways to eliminate the threat, at least one of
|> which is likely to be included in future releases of version 5.

Is an MIT Kerberos V5 KDC running with Kerberos V4 compatibility (i.e.,
responding to V4 requests) vulnerable to this attack?

I suppose another way to ask the same question is, "Does the attack exploit a
vlunerability in the V4 protocol or its implementation?"

To: kerberos@MIT.EDU
Date: 18 Feb 1996 21:22:17 -0500
From: swlodin@cs.purdue.edu (Steve Lodin)

In article <4g7pel$md8@jik.datasrv.co.il>,
Jonathan Kamens <jik@annex-1-slip-jik.cam.ov.com> wrote:
>Is an MIT Kerberos V5 KDC running with Kerberos V4 compatibility (i.e.,
>responding to V4 requests) vulnerable to this attack?
>
>I suppose another way to ask the same question is, "Does the attack exploit a
>vlunerability in the V4 protocol or its implementation?"

It is an implementation issue, not a protocol design issue.

Steve

-- 
Steve Lodin 
Purdue - swlodin@cs.purdue.edu http://www.cs.purdue.edu/people/swlodin
Delco Electronics - swlodin@delcoelect.com (317)451-0479 
Home - swlodin@iquest.net http://www.iquest.net/~swlodin/