Kerberos 4 keys not so random?
[23 February 1996]
Researchers at Purdue's COAST laboratory uncovered a significant weakness
in the Kerberos Version 4 key server, according to reports circulated
on 16 February. CERT advisory CA-96.03, distributed 21 February, confirmed
the problem, which concerns only key distribution centers, not clients or
servers, and provided patch information. According to the COAST announcement,
Steve Lodin and Bryn Dole, graduate students working with Prof. Gene Spafford,
discovered a method whereby someone without privileged
access to most implementations of a Kerberos 4 server can nonetheless
break secret session keys issued to users. This means that it is
possible to gain unauthorized access to distributed services available
to a user without knowing that user's password. This method has been
demonstrated to work in under 5 minutes, on average, using a typical
workstation, and sometimes as quickly as 12 seconds.
The researchers also found that Kerberos Version 5 exhibited a
small, theoretical
weakness in Kerberos version 5 that would allow similar access, given
some additional information and considerable preliminary computation.
Kerberos version 5 does not exhibit the same weakness as described
above for Kerberos version 4.
Later reports gave the following timings for cracking session
keys:
SPARC 5: average time to crack session key = 26.2 seconds (std dev
14.7 over 223 trials); longest = 48.7 seconds; shortest = .3 seconds.
DEC Alpha: average time = 5.8 seconds with std dev of 3.3; longest =
10.9 seconds; shortest = .2 seconds.