Misplaced trust: Kerberos 4 session keys

One of the commonly accepted principles of software design for security is that making the source code openly available leads to better security. The presumption is that the open publication of source code will lead others to review the code for errors, however this openness is no guarantee of correctness. One of the most widely published and used pieces of security software in recent memory is the MIT implementation of the Kerberos authentication protocol. In the design of the protocol, random session keys are the basis for establishing the authenticity of service requests. Because of the way that the Kerberos Version 4 implementation selected its random keys, the secret keys could easily be guessed in a matter of seconds. This paper discusses the difficulty of generating good random numbers, the mistakes that were made in implementing Kerberos Version 4, and the breakdown of software engineering that allowed this flaw to remain unfixed for ten years. We discuss this as a particularly notable example of the need to examine security-critical code carefully, even when it is made publicly available.

[1]  Ian Goldberg,et al.  Randomness and the Netscape browser , 1996 .

[2]  Steven M. Bellovin,et al.  Limitations of the Kerberos authentication system , 1990, CCRV.

[3]  Donald E. Eastlake,et al.  Randomness Recommendations for Security , 1994, RFC.

[4]  B. Clifford Neuman,et al.  Requirements for network payment: the NetCheque perspective , 1995, Digest of Papers. COMPCON'95. Technologies for the Information Superhighway.

[5]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[6]  Richard J. Lipton,et al.  Social processes and proofs of theorems and programs , 1977, POPL.

[7]  Donald E. Knuth The Art of Computer Programming 2 / Seminumerical Algorithms , 1971 .

[8]  Donald E. Knuth,et al.  The art of computer programming. Vol.2: Seminumerical algorithms , 1981 .

[9]  Donald Ervin Knuth,et al.  The Art of Computer Programming , 1968 .

[10]  Bruce Schneier,et al.  Minimal Key Lengths for Symmetric Ciphers to Provide Adequate Commercial Security. A Report by an Ad Hoc Group of Cryptographers and Computer Scientists , 1996 .

[11]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[12]  Bruce Schneier,et al.  Applied cryptography (2nd ed.): protocols, algorithms, and source code in C , 1995 .

[13]  Arto Salomaa Cryptography and Data Security , 1988, IMYCS.

[14]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[15]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[16]  Donald E. Knuth,et al.  The art of computer programming, volume 3: (2nd ed.) sorting and searching , 1998 .

[17]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[18]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[19]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.