From jis@BITSY.MIT.EDU Fri Jan 30 18:06:51 1987 Date: Fri, 30 Jan 87 18:05:54 EST From: Jeffrey I. Schiller <jis@BITSY.MIT.EDU> To: kerberos@athena.mit.edu Subject: Thoughts on the protection of the master key AND database. The more I think about this issue, the more I think that the number of systems playing with the kerberos database should be kept to a minimum. Probably only kerberos itself. The kerberos database master key (and associated password) have an interesting property. That is, it has residual value even if it is changed. Consider the following form of attack: Grab a copy of the database somehow (poach a backup tape, or intercept the database being FTP'd in the clear, or have read-only or write access to the SMS database, whatever...) Now this copy is useless because all of the secret information is enciphered with the master key. However bide your time.... At some point the master key is changed, once changed people are likely to not have any inhibition from giving out the OLD key (after all it has been changed...). Now you have a copy of the OLD database AND the old master key. You can now decrypt your data and obtain the secret key for any principal which has not changed their key since the time you grabbed the database. You will probably get a significant number of both user private keys AND service keys. This of course is based on the psychology of password maintenance. Specifically taking advantage that most people consider an OLD password as no longer confidential. This leads me to believe that instead of hairing up the master key encipherment process on private keys, that instead efforts be made to protect the database from disclosure regardless of the fact that secret information is enciphered in the master key. This leads to two changes in direction. 1) SMS should not have a copy of key data from kerberos. This isn't really necessary anyhow, as all data in SMS can be linked to the appropriate record in kerberos by the principal (name,instance) fields which SMS would still have a copy of. 2) Slave kerberos database propagation, which currently sends the database in the clear, be changed to use a kerberos authenticated connection to send the data AND use the session key provided by kerberos to either encipher ALL the data going across the connection, or at the very least the private key fields. Because SMS will not have a copy of ALL the information stored on kerberos, kerberos will need to be a backed up service (ie. the database should be periodically backed up [which it is today...once a day to tape]) and the backup media should be protected (ie. stored in a locked room). -Jeff
From Saltzer@ATHENA.MIT.EDU Sun Feb 1 19:42:43 1987 Date: Sun, 1 Feb 87 19:40:12 EST To: Jeffrey I. Schiller <jis@BITSY.MIT.EDU> Subject: re: Thoughts on the protection of the master key AND database. Cc: kerberos@athena.mit.edu In-Reply-To: Jeffrey I. Schiller <jis@BITSY.MIT.EDU>'s message of Fri, 30 Jan 87 18:05:54 EST From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU> Originating-Client: <Saltzer-PC> > The kerberos database master key (and associated password) > have an interesting property. That is, it has residual value even if > it is changed. Jeff's concern for attack using old, less-well protected keys is a good one. That concern raises several further interesting points. 1. The double-edged sword. When the master key is changed, previous backup copies become worthless. (Well, not completely; if you remember the old master key you could reload the old backups, and rechange the key. But the point of changing the key is to stop being dependent on it.) So the key change procedure providing both security and integrity probably goes like this: - change the master key - make a couple of new backup tapes and reload one of them to make sure it is really valid. - destroy all copies of the old master key and degauss all old backup tapes. - load (by hand, I think) the slave servers with the new master key but tell them not to use it yet. - send the slave servers the new data base and tell them cut over to the new master key when they switch to the new data base. 2. Degaussing old backup tapes can help minimize the risk that Jeff suggests, namely that people may be less protective of old master keys than new ones. 3. Whether SMS or private backup tapes are used as the backup mechanism, it might still be wise to encipher/seal keys in a block containing the associated principal identifer, in order to inhibit any kind of substitution attack. The one objection is decryption time, which is serial with each authentication. If we had some supported decryption hardware for use in the Kerberos servers I think it would be worth doing this step. While awaiting arrival of such hardware the idea probably has to be commented out. 4. I agree that SMS does not need to feed Kerberos. I claim further that the principal identifier field is the ONLY item that needs to be duplicated between the two data bases, and it provides an adequate link between the information on record in the two places. There are two more advantages of keeping SMS clear of Kerberos: - Kerberos is then forced to be self-sufficient in management tools, which helps insure its modular exportability. - it is possible to have Kerberos-authenticable identities that are not known to SMS. That could be useful in any case where the administrative boundaries surrounding SMS and Kerberos don't exactly coincide. (For example, one Kerberos realm might cover Athena, Administrative Computing, and Telecommunications, while SMS might maintain information only about Athena.) Jerry
From jis@BITSY.MIT.EDU Sun Feb 1 20:18:44 1987 Date: Sun, 1 Feb 87 20:17:56 EST From: Jeffrey I. Schiller <jis@BITSY.MIT.EDU> To: Saltzer@ATHENA.MIT.EDU Cc: kerberos@athena.mit.edu In-Reply-To: Jerome H. Saltzer's message of Sun, 1 Feb 87 19:40:12 EST <8702020040.AA18909@HERACLES> Subject: On the backup of kerberos. The current scheme uses three backup tapes that are rotated through. A tape gets written each night with three snapshots of the kerberos database, one from each of the previous three nights. This scheme has the advantage that only three tapes ever have confidential data on them to worry about. The disadvantage is that we only save information for the previous five days (the oldest data being from the oldest file on the oldest tape). This also makes it unnecessary to deguass any tapes just because the kerberos master key was changed. As it turns out we have already had one tape fail, and that tape is now waiting for me to take it to W91 for deguassing. -Jeff
From miller%erlang.DEC@decwrl.DEC.COM Thu Feb 12 08:28:43 1987 Date: 11-Feb-1987 1752 From: miller%erlang.DEC@decwrl.DEC.COM (Steve Miller) To: kerberos@athena.mit.edu (Distribution list @KERB) Subject: Protecting Kerberos From: RHEA::DECWRL::MAILER-DAEMON "Mail Delivery Subsystem" 9-FEB-1987 07:47 To: <erlang::miller (Steve Miller)> Subj: Returned mail: Cannot send message for 3 days ----- NOTICE ----- Due to a hardware failure, DECWRL has been disconnected from the Internet for several days. We hope to be reconnected some- time Monday, Feb 9, 1987. Please give us a chance to recover and then retry your message. ----- Transcript of session follows ----- I agree with the recent notes by Jeff and Jerry re protecting the OLD master key and backup copies of the database. Kerberos must be protected! The only other solution to losing an old master key would be to invalidate all the principal keys every time the master key changed. Then a new key could be established by a protocol that passed the old password STRING to the password server, before its one-way encryption into the key form. If that was ok, a new key could be created. Meanwhile, the old key, compromised by the disclosure of the old Master key, would not be valid for routine authentication. Since the Kerberos database already contains a master key version field for each entry, enough hooks currently exist to do this. This may be too drastic a step for the Athena environment, but the alternative is to potentially compromise all the keys. I would also suggest that the slave copies of the database dont even use the master key at all. Instead of encrypting the database (or at least key fields) with a session key in order to transmit it between the master and the slave, the master can just convert it to be encrypted under the session key, or some other temporary key. Thus the slave database has its key fields encrypted by some key OTHER than the master key, and it changes every time a new slave database version is loaded. This provides much more protection for the master key, since it now exists on the master database only. In other words, where E(foo)bar means Encrypt 'foo' with key 'bar' Let PrinKey == my principal key master: EncPrinKey = E(PrinKey)Kmaster /* master encrypts my prin key*/ master: store(EncPrinKey) /* master stores encrypted key*/ master: SlaveKey = E(D(EncPrinKey)Kmaster)Kslave /* master decrypts and re-encrypts my prin key using Kslave */ master: ProtSlaveKey = E(SlaveKey)Ksession /* master encrypts SlaveKey for secure transmission */ master --> slave: ProtSlaveKey /* master transmits sealed key*/ slave: SlaveKey= D(ProtSlaveKey)Ksession /* slave decrypts received key*/ slave: store(SlaveKey) /* slave stores SlaveKey */ slave: PrinKey = D(SlaveKey)Kslave /* slave decrypts to yield PrinKey upon Kerberos requests */ Ksession is used to protect the transfer, using the private_msg() or equivalent. Kslave is another 'session' key used as the temporary 'master' for the slave. Despite the best reasonable efforts, sooner or later major Kerberos security problems, such as disclosing an old master key, will occur. I would strongly suggest that Jerry, Jeff and others walk through some likely scenarios and recovery procedures. Steve.
From Saltzer@ATHENA.MIT.EDU Thu Feb 12 10:21:57 1987 Date: Thu, 12 Feb 87 10:19:17 EST To: miller%erlang.DEC@decwrl.DEC.COM (Steve Miller) Subject: re: Protecting Kerberos Cc: kerberos@athena.mit.edu (Distribution list @KERB) In-Reply-To: miller%erlang.DEC@decwrl.DEC.COM (Steve Miller)'s message of 11-Feb-1987 1752 From: Jerome H. Saltzer <Saltzer@ATHENA.MIT.EDU> Originating-Client: <Saltzer-PC> Steve, I like the idea that the slaves have their database enciphered with a temporary Slave Key rather than the real master, to reduce the number of exposure points for the master. But I don't think your specific proposal is as effective as it sounds. The problem is that your scenario sends the new Slave Key enciphered with KSession. Where did Ksession come from? Presumably it is a result of an authenticated handshake between the slave and the master. And how did that handshake get authenticated? Presumably by virtue of a private key known only to the slave and to some Kerberos, probably the master. So now the slave's private key becomes an effective "master key", albeit two steps removed, with the usual problems of future disclosure. The one advantage your scenario provides is make it necessary that an attacker who has discovered that private key be present at the right time so as to watch the initial handshake (so as to discover Ksession) and also to snatch a copy of E(SlaveKey)Ksession as it goes by. Assuming everyone is careful to destroy Ksession as soon as SlaveKey is safely acquired by the slave, the attack work factor is certainly somewhat higher than if the slave database is simply enciphered with the Master key. There is also an availability problem: following a power failure, for example, the slave Kerberos can't begin work again until it has been reloaded from the Master Kerberos, unless it took the precaution of preserving both its old data base and the SlaveKey that is enciphering it. But preserving the SlaveKey in the persistent storage of the slave machine is exactly the action that (I assume) you are trying to avoid, so as to minimize its risk of disclosure. I agree that we need to work out the best approach to handling the case where a first-class compromise of the master key occurs. Jerry
From miller%erlang.DEC@decwrl.DEC.COM Tue Feb 17 20:18:36 1987 Date: 17-Feb-1987 0939 From: miller%erlang.DEC@decwrl.DEC.COM (Steve Miller) To: kerberos@athena.mit.edu (Distribution list @KERB) Subject: More re Protecting kerberos (The gateway from the DEC engineering net to the Arpanet , 'decwrl', has been flaky lately, so mail is being delayed and bounced around. spm) ---------------- Jerry, You are right, my last suggestion only shifts the attack from the master key to the interchange key between the slave database and the master Kerberos database. Though it does make it a little harder. The only way it might work, and still address the availability problem is if you could afford, operationally, to create new interchange keys between the slave db and master db every time an update was made, manually distribute them out of band (Jeff on roller skates!), feed them to the slaves, then immediately destroy them as soon as the update protocol had fired up. On powerfail, Jeff on Skates would have to redo the procedure, but unless all slaves power-failed at once, Kerberos would still be available. But it would still leave a slave key resident at the slave, subject to attack, even though no one had ever directly seen it. I conclude that it is not worth the effort for Athena for a minor improvement in security. The only solution is real physical security of the master keys, backup tapes, maybe even real crypto boxes, key guns, etc. Perhaps some time before we all retire, Public key can be made fast enough to allow a 3-way public-key based handshake without the direct intervention of a 3rd party (Kerberos server) with critical secrets. Note that Kerberos not only authenticates, but enforces an expiration date on principals, which would not be possible in a 2-party Public Key exchange. (Assume that the public half is published.) Introducing the 3rd party introduces that critical secret -- in one case a Kerberos DES master key, in another an RSA (or similar) public half of the key-pair.
From jis@BITSY.MIT.EDU Wed Feb 18 15:58:19 1987 Date: Wed, 18 Feb 87 15:56:30 EST From: Jeffrey I. Schiller <jis@BITSY.MIT.EDU> To: kerberos@athena.mit.edu Subject: On the security of kerberos (need for physical security) All this talk of how to deliver the keys isn't really addressing the likeliest form of attack, namely: 1) Obtain physical access to a kerberos slave machine. 2) Deposit a trap door program that allows a remote root login at a later time. 3) Arrange it to look like the system crashed in some "normal" maner. 4) Wait for the system to be restarted. 5) Now while the machine is running, utilize trap door, make a copy of the database and use the "gcore" program to grab a core image of the running kerberos server and extract the master key (or the equivalent of the master key for the database copy you must made). 6) Done. And let Athena beware! Providing physical security is the key here (no pun intended). Encryption hardware would help (if the hardware allows the key to be written, but not read out, and it clears the key memory on bus reset). -Jeff