A Real-World Analysis of Kerberos Password Security
Date: February 1999 Publication: Proceedings of the 1999 ISOC Symposium on Network and Distributed System Security Publisher: Internet Society Source 1: http://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/wu.pdf Abstract or Summary:
Kerberos is a distributed authentication system that many organizations use to handle domain-wide password security. Although it has been known for quite some time that Kerberos is vulnerable to brute-force password searches, there has so far been little analysis of the scope and extent of this vulnerability. This paper discusses the nature of this weakness in detail and attempts to quantify the severity of the danger it poses to existing Kerberized installations. The results of a controlled experiment, in which a large number of passwords from a Kerberos realm were broken off-line and subjected to analysis, will be presented. The author explores possible strategies for repairing this security hold, the most viable of which is the use of Kerberos V5 preauthentication coupled with a secure password authentication protocol such as SRP, SPEKE, or EKE. Do you have additional information to contribute regarding this research paper? If so, please email siteupdates@passwordresearch.com with the details.
<-- Back to Authentication Research Paper Index |