In October, I wrote a two-part
feature on how elegant and secure the Kerberos protocol is. However, Arne
Vidstrom from ntsecurity.nu recently released a tool that allows you to easily
obtain user passwords by monitoring Windows 2000 Kerberos logon traffic.
Let's revisit that topic and analyze how secure Kerberos is, or in
general, how one should think about the security of any security protocol or
encryption algorithm.
Is it really possible to obtain user passwords by
simply listening to the initial Kerberos logon exchange? To answer that part
right away: yes, it is possible. If I log on with my Windows 2000 domain user
account, using a password of say 'Dovetail', then anyone who sniffs that
Kerberos logon traffic can obtain my password in a matter of seconds.
Remarkably enough the password-cracking possibility is traditionally
associated with LM/NTLM style logon in Windows 2000, and not with Kerberos. And
I must admit that I didn't realize this fully either initially. Let's look at it
more closely.
From a more analytical approach: in general, there are
four different ways one can crack a protocol used for secured authentication or
encryption, like Kerberos. The four methods are:
Steal the key.
This always works... if you have the opportunity to obtain the key somehow, that
is. This may involve logging keyboard strokes, or simply finding it on a
proverbial sticky-note near the computer. No encryption method can withstand the
steal-the-key approach, which more or less circumvents the whole protection that
the protocol provides in the first place.
Find a flaw in the
implementation. A flaw in the implementation would mean that there is
nothing wrong with the security protocol itself, but that the vendor has coded
the implementation of the protocol incorrectly, so that (for example) the same
20 "randomly generated" keys are always used, or that an attacker can severely
limit the keyspace to search for. Other flaws may involve being able to
downgrade a protocol into using a dumbed-down version of the protocol, or even
specifying the key yourself.
Find a flaw in the security protocol
itself. Awesome, but highly unlikely. These are the kind of discoveries that
can make you big bucks. If you happened to stumble on a way to read any
3DES-encrypted text for example, you can be assured that your name will be quite
well known for a while. Every now and then researchers will find (complicated)
methods to more efficiently crack certain protocols, but it is very unlikely
that a true backdoor will be found.
This is obviously higher
mathematics. For "man-made" algorithms such as RC4, it would be a shock if
someone found a way to instantaneously unencrypt any message encrypted with that
algorithm. For algorithms based on more general mathematics problems, like the
problem underlying the RSA public-key system (factoring a very large number into
two primes), finding a short-cut solution for that would be almost mathematics
Nobel Prize material!
Be forewarned though, don't try to find a
short-cut solution for breaking RSA public-key yourself. There is no Nobel Prize
for mathematics. Rumor has it that Alfred Nobel's mistress had an affair with a
Swedish mathematician, Gosta Mittag-Leffler, which ruined it for all
mathematicians...
Try all possible keys in a brute-force manner.
This always works, and is also the approach that Arne Vidstrom's Keybcrack
application uses. The only protection against this attack is that it may take an
infeasible long time to go through the entire keyspace and try all possible
combinations. And, as with any search operation, you just know that whatever
order you use to try all possible keys or passwords, it is always the last
one...
Seriously though, this can take a long time. Usually it is not
even the time or calculation-effort it takes to test whether a particular key is
the correct one, but rather the enormous amount of possible keys that you have
to work through.
A good description that I always have liked that
indicates how long it takes to brute-force a 128-bit secret key is the
following. If you want to exhaustively try out all possible 128-bit keys, you
will have to take all of the computers on the Internet, multiple their speed by
1,000, and if they all worked together, it would still take 1,000 times the
current age of the universe to try out all possible 128-bit keys in order to
break a single encrypted message.
I am a believer that 128-bit
encryption is safe from a brute- force keyspace attack. Of course, not all
security protocols use a truly random 128-bit or longer key. In fact many
security protocols rely on a much shorter key (WEP - 40 bit, DES - 56 bit), or
don't computer-generated keys, but let...
You must be logged in to view this entire article. Click Here to Finish Reading this Article
FREE subscription to Network World.
Your complimentary subscription will include 50 weekly issues jam packed with news analysis, expert industry opinion and management/career advice, all of which is packaged with your business needs in mind. We want to help you connect the technology dots and help you advance your company's business goals.
Email this Article
Print this Article
