|
Packit Service |
99d1c0 |
.. _dictionary:
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Addressing dictionary attack risks
|
|
Packit Service |
99d1c0 |
==================================
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
Kerberos initial authentication is normally secured using the client
|
|
Packit Service |
99d1c0 |
principal's long-term key, which for users is generally derived from a
|
|
Packit Service |
99d1c0 |
password. Using a pasword-derived long-term key carries the risk of a
|
|
Packit Service |
99d1c0 |
dictionary attack, where an attacker tries a sequence of possible
|
|
Packit Service |
99d1c0 |
passwords, possibly requiring much less effort than would be required
|
|
Packit Service |
99d1c0 |
to try all possible values of the key. Even if :ref:`password policy
|
|
Packit Service |
99d1c0 |
objects <policies>` are used to force users not to pick trivial
|
|
Packit Service |
99d1c0 |
passwords, dictionary attacks can sometimes be successful against a
|
|
Packit Service |
99d1c0 |
significant fraction of the users in a realm. Dictionary attacks are
|
|
Packit Service |
99d1c0 |
not a concern for principals using random keys.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
A dictionary attack may be online or offline. An online dictionary
|
|
Packit Service |
99d1c0 |
attack is performed by trying each password in a separate request to
|
|
Packit Service |
99d1c0 |
the KDC, and is therefore visible to the KDC and also limited in speed
|
|
Packit Service |
99d1c0 |
by the KDC's processing power and the network capacity between the
|
|
Packit Service |
99d1c0 |
client and the KDC. Online dictionary attacks can be mitigated using
|
|
Packit Service |
99d1c0 |
:ref:`account lockout <lockout>`. This measure is not totally
|
|
Packit Service |
99d1c0 |
satisfactory, as it makes it easy for an attacker to deny access to a
|
|
Packit Service |
99d1c0 |
client principal.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
An offline dictionary attack is performed by obtaining a ciphertext
|
|
Packit Service |
99d1c0 |
generated using the password-derived key, and trying each password
|
|
Packit Service |
99d1c0 |
against the ciphertext. This category of attack is invisible to the
|
|
Packit Service |
99d1c0 |
KDC and can be performed much faster than an online attack. The
|
|
Packit Service |
99d1c0 |
attack will generally take much longer with more recent encryption
|
|
Packit Service |
99d1c0 |
types (particularly the ones based on AES), because those encryption
|
|
Packit Service |
99d1c0 |
types use a much more expensive string-to-key function. However, the
|
|
Packit Service |
99d1c0 |
best defense is to deny the attacker access to a useful ciphertext.
|
|
Packit Service |
99d1c0 |
The required defensive measures depend on the attacker's level of
|
|
Packit Service |
99d1c0 |
network access.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
An off-path attacker has no access to packets sent between legitimate
|
|
Packit Service |
99d1c0 |
users and the KDC. An off-path attacker could gain access to an
|
|
Packit Service |
99d1c0 |
attackable ciphertext either by making an AS request for a client
|
|
Packit Service |
99d1c0 |
principal which does not have the **+requires_preauth** flag, or by
|
|
Packit Service |
99d1c0 |
making a TGS request (after authenticating as a different user) for a
|
|
Packit Service |
99d1c0 |
server principal which does not have the **-allow_svr** flag. To
|
|
Packit Service |
99d1c0 |
address off-path attackers, a KDC administrator should set those flags
|
|
Packit Service |
99d1c0 |
on principals with password-derived keys::
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
kadmin: add_principal +requires_preauth -allow_svr princname
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
An attacker with passive network access (one who can monitor packets
|
|
Packit Service |
99d1c0 |
sent between legitimate users and the KDC, but cannot change them or
|
|
Packit Service |
99d1c0 |
insert their own packets) can gain access to an attackable ciphertext
|
|
Packit Service |
99d1c0 |
by observing an authentication by a user using the most common form of
|
|
Packit Service |
99d1c0 |
preauthentication, encrypted timestamp. Any of the following methods
|
|
Packit Service |
99d1c0 |
can prevent dictionary attacks by attackers with passive network
|
|
Packit Service |
99d1c0 |
access:
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
* Enabling :ref:`SPAKE preauthentication <spake>` (added in release
|
|
Packit Service |
99d1c0 |
1.17) on the KDC, and ensuring that all clients are able to support
|
|
Packit Service |
99d1c0 |
it.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
* Using an :ref:`HTTPS proxy <https>` for communication with the KDC,
|
|
Packit Service |
99d1c0 |
if the attacker cannot monitor communication between the proxy
|
|
Packit Service |
99d1c0 |
server and the KDC.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
* Using FAST, protecting the initial authentication with either a
|
|
Packit Service |
99d1c0 |
random key (such as a host key) or with :ref:`anonymous PKINIT
|
|
Packit Service |
99d1c0 |
<anonymous_pkinit>`.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
An attacker with active network access (one who can inject or modify
|
|
Packit Service |
99d1c0 |
packets sent between legitimate users and the KDC) can try to fool the
|
|
Packit Service |
99d1c0 |
client software into sending an attackable ciphertext using an
|
|
Packit Service |
99d1c0 |
encryption type and salt string of the attacker's choosing. Any of the
|
|
Packit Service |
99d1c0 |
following methods can prevent dictionary attacks by active attackers:
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
* Enabling SPAKE preauthentication and setting the
|
|
Packit Service |
99d1c0 |
**disable_encrypted_timestamp** variable to ``true`` in the
|
|
Packit Service |
99d1c0 |
:ref:`realms` subsection of the client configuration.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
* Using an HTTPS proxy as described above, configured in the client's
|
|
Packit Service |
99d1c0 |
krb5.conf realm configuration. If :ref:`KDC discovery
|
|
Packit Service |
99d1c0 |
<kdc_discovery>` is used to locate a proxy server, an active
|
|
Packit Service |
99d1c0 |
attacker may be able to use DNS spoofing to cause the client to use
|
|
Packit Service |
99d1c0 |
a different HTTPS server or to not use HTTPS.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
* Using FAST as described above.
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
If :ref:`PKINIT <pkinit>` or :ref:`OTP <otp_preauth>` are used for
|
|
Packit Service |
99d1c0 |
initial authentication, the principal's long-term keys are not used
|
|
Packit Service |
99d1c0 |
and dictionary attacks are usually not a concern.
|