Fix for Kerberos V4 weakness as reported by COAST

Date: Tue, 20 Feb 1996 18:58:01 -0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: kerberos@MIT.EDU


-----BEGIN PGP SIGNED MESSAGE-----


In the past few weeks, we have been aware of a significant vulnerability
in the Kerberos V4 implementation as provided by MIT.  This
vulernability was noted by members of the COAST Laboratory at Purdue,
and has been independently discovered by a number of different people
since rumors about a "significant security vulnerability in Kerberos"
has been swirling around for the past month or so.  This message
announces the availability of fixes for this problem.

The nature of the problem has already been mentioned on the Kerberos
list; to make a long story short, although the Kerberos V4 distribution
does contain a strong random number generator, the changes to actually
use it had somehow never gotten integrated into the Kerberos V4 sources.

The Kerberos V5 protocol and implementation is *not* affected by this
vulnerability, since it is using a DES-based random number generator.
(Attackers who have the ability to crack a DES-based random number
generator can more simply just crack a DES key for some critical
Kerberos service, like the ticket-granting-ticket key.  In the long run,
we will need to move the a stronger cryptographic algorithm, such as
triple-DES, and we are currently at work to support triple-DES within
the MIT implementation of Kerberos V5.)

However, those sites which are using the Kerberos V4 compatibility
feature in the Kerberos V5 distribution should apply a patch to fix a
similar problem in the Kerberos V4 compatibility code.  This patch is
not necessary if your site does not have this backwards-compatibility
feature enabled.

If you are using a version of Kerberos V4 which was provided to you by a
vendor, please contact your vendor for assistance.  MIT, in cooperation
with the CERT, has been in contact with those vendors which we know
supply Kerberos V4 to their customers.

						- Ted

- -------------------------------------------------------------------
Instructions to pick up the the Kerberos V4 patch:

Use Anonymous FTP to athena-dist.mit.edu. Change directory to
/pub/kerberos, fetch and read "README.KRB4" found in that
directory. It will provide the name of the distribution directory
(which is otherwise hidden and cannot be found by listing its parent
directory). Change directory to the hidden distribution
directory. There you will find the original Kerberos distribution plus
a new file named "random_patch.tar.Z" (and random_patch.tar.gz for
those with "gzip"). This tar file contains two files, the patch itself
and a README.PATCH file. Read this file carefully before proceeding.

The distribution hidden directory also contains a file
"random_patch.md5" which is a PGP clearsigned file containing the MD5
checksums of random_patch.tar.Z and random_patch.tar.gz.  The PGP file
is signed by Jeff Schiller (PGP keyid 0x0DBF906D, PGP Key fignerprint:
DD DC 88 AA 92 DC DD D5  BA 0A 6B 59 C1 65 AD 01).

- -------------------------------------------------------------------

Instructions to pick up the the Kerberos V5 patch:  (only necessary if
you are using the Kerberos V4 comaptibility feature)

Use Anonymous FTP to athena-dist.mit.edu. Change directory to
/pub/kerberos, fetch and read "README.KRB5_BETA5" found in that
directory.  It will provide the name of the distribution directory
(which is otherwise hidden and cannot be found by listing its parent
directory).  Change directory to the hidden distribution directory.
There you will find the Kerberos V5 Beta 5 distribution, plus a new file
named krb5-krb4-random-patch.  This is a text file containing the patch,
plus a description of how to apply it to your Kerberos V5 distribution.
Note that although it is found in the Beta 5 distribution directory, it
should also work when applied against Beta 4 sources.  Read the text
file very carefully before proceeding.

The distribution hidden directory also contains a file
"krb5-krb4-random-patch.sig" which is a PGP detached signature of the
patch file.  The PGP signature is signed by myself, Theodore Ts'o, using
PGP keyid 0x466B4289.  (PGP Key fingerprint: 9C 05 66 49 DF 83 7E EF 
D8 AC 75 42 A2 33 4B 91).  The MD5 checksum of the file 
krb5-krb4-random-patch is: b4740cb4b3e2256ee39bf72e5676c7f7.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.2, an Emacs/PGP interface

iQCVAwUBMSpf4UQVcM1Ga0KJAQHUwgQAyZuDqrOgyzQZfSCHj1lKWHI7IFu9UgDt
8nAknf5iWfu6QWGWHF9MYye1h4vtJ7DU+s2/Kfk2OnXc5gOlSWu5WKz9GHL88HxK
/Y6cS2r56hpVWLLiI5Jv+0RsA2RpfGuUf79VS2TI/twBmFBtAYgV/r7PeV8R6gnz
NKSO7QbfoHk=
=f9MS
-----END PGP SIGNATURE-----