e5fe63eaf1
Security: CVE-2025-57736
224 lines
13 KiB
HTML
224 lines
13 KiB
HTML
<!DOCTYPE html>
|
||
|
||
<html lang="en" data-content_root="../">
|
||
<head>
|
||
<meta charset="utf-8" />
|
||
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
|
||
|
||
<title>Addressing dictionary attack risks — MIT Kerberos Documentation</title>
|
||
<link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" />
|
||
<link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" />
|
||
<link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" />
|
||
<script src="../_static/documentation_options.js?v=6dbce55c"></script>
|
||
<script src="../_static/doctools.js?v=888ff710"></script>
|
||
<script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
|
||
<link rel="author" title="About these documents" href="../about.html" />
|
||
<link rel="index" title="Index" href="../genindex.html" />
|
||
<link rel="search" title="Search" href="../search.html" />
|
||
<link rel="copyright" title="Copyright" href="../copyright.html" />
|
||
<link rel="next" title="Principal names and DNS" href="princ_dns.html" />
|
||
<link rel="prev" title="SPAKE Preauthentication" href="spake.html" />
|
||
</head><body>
|
||
<div class="header-wrapper">
|
||
<div class="header">
|
||
|
||
|
||
<h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
|
||
|
||
<div class="rel">
|
||
|
||
<a href="../index.html" title="Full Table of Contents"
|
||
accesskey="C">Contents</a> |
|
||
<a href="spake.html" title="SPAKE Preauthentication"
|
||
accesskey="P">previous</a> |
|
||
<a href="princ_dns.html" title="Principal names and DNS"
|
||
accesskey="N">next</a> |
|
||
<a href="../genindex.html" title="General Index"
|
||
accesskey="I">index</a> |
|
||
<a href="../search.html" title="Enter search criteria"
|
||
accesskey="S">Search</a> |
|
||
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Addressing dictionary attack risks">feedback</a>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
|
||
<div class="content-wrapper">
|
||
<div class="content">
|
||
<div class="document">
|
||
|
||
<div class="documentwrapper">
|
||
<div class="bodywrapper">
|
||
<div class="body" role="main">
|
||
|
||
<section id="addressing-dictionary-attack-risks">
|
||
<span id="dictionary"></span><h1>Addressing dictionary attack risks<a class="headerlink" href="#addressing-dictionary-attack-risks" title="Link to this heading">¶</a></h1>
|
||
<p>Kerberos initial authentication is normally secured using the client
|
||
principal’s long-term key, which for users is generally derived from a
|
||
password. Using a pasword-derived long-term key carries the risk of a
|
||
dictionary attack, where an attacker tries a sequence of possible
|
||
passwords, possibly requiring much less effort than would be required
|
||
to try all possible values of the key. Even if <a class="reference internal" href="database.html#policies"><span class="std std-ref">password policy
|
||
objects</span></a> are used to force users not to pick trivial
|
||
passwords, dictionary attacks can sometimes be successful against a
|
||
significant fraction of the users in a realm. Dictionary attacks are
|
||
not a concern for principals using random keys.</p>
|
||
<p>A dictionary attack may be online or offline. An online dictionary
|
||
attack is performed by trying each password in a separate request to
|
||
the KDC, and is therefore visible to the KDC and also limited in speed
|
||
by the KDC’s processing power and the network capacity between the
|
||
client and the KDC. Online dictionary attacks can be mitigated using
|
||
<a class="reference internal" href="lockout.html#lockout"><span class="std std-ref">account lockout</span></a>. This measure is not totally
|
||
satisfactory, as it makes it easy for an attacker to deny access to a
|
||
client principal.</p>
|
||
<p>An offline dictionary attack is performed by obtaining a ciphertext
|
||
generated using the password-derived key, and trying each password
|
||
against the ciphertext. This category of attack is invisible to the
|
||
KDC and can be performed much faster than an online attack. The
|
||
attack will generally take much longer with more recent encryption
|
||
types (particularly the ones based on AES), because those encryption
|
||
types use a much more expensive string-to-key function. However, the
|
||
best defense is to deny the attacker access to a useful ciphertext.
|
||
The required defensive measures depend on the attacker’s level of
|
||
network access.</p>
|
||
<p>An off-path attacker has no access to packets sent between legitimate
|
||
users and the KDC. An off-path attacker could gain access to an
|
||
attackable ciphertext either by making an AS request for a client
|
||
principal which does not have the <strong>+requires_preauth</strong> flag, or by
|
||
making a TGS request (after authenticating as a different user) for a
|
||
server principal which does not have the <strong>-allow_svr</strong> flag. To
|
||
address off-path attackers, a KDC administrator should set those flags
|
||
on principals with password-derived keys:</p>
|
||
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span class="p">:</span> <span class="n">add_principal</span> <span class="o">+</span><span class="n">requires_preauth</span> <span class="o">-</span><span class="n">allow_svr</span> <span class="n">princname</span>
|
||
</pre></div>
|
||
</div>
|
||
<p>An attacker with passive network access (one who can monitor packets
|
||
sent between legitimate users and the KDC, but cannot change them or
|
||
insert their own packets) can gain access to an attackable ciphertext
|
||
by observing an authentication by a user using the most common form of
|
||
preauthentication, encrypted timestamp. Any of the following methods
|
||
can prevent dictionary attacks by attackers with passive network
|
||
access:</p>
|
||
<ul class="simple">
|
||
<li><p>Enabling <a class="reference internal" href="spake.html#spake"><span class="std std-ref">SPAKE preauthentication</span></a> (added in release
|
||
1.17) on the KDC, and ensuring that all clients are able to support
|
||
it.</p></li>
|
||
<li><p>Using an <a class="reference internal" href="https.html#https"><span class="std std-ref">HTTPS proxy</span></a> for communication with the KDC,
|
||
if the attacker cannot monitor communication between the proxy
|
||
server and the KDC.</p></li>
|
||
<li><p>Using FAST, protecting the initial authentication with either a
|
||
random key (such as a host key) or with <a class="reference internal" href="pkinit.html#anonymous-pkinit"><span class="std std-ref">anonymous PKINIT</span></a>.</p></li>
|
||
</ul>
|
||
<p>An attacker with active network access (one who can inject or modify
|
||
packets sent between legitimate users and the KDC) can try to fool the
|
||
client software into sending an attackable ciphertext using an
|
||
encryption type and salt string of the attacker’s choosing. Any of the
|
||
following methods can prevent dictionary attacks by active attackers:</p>
|
||
<ul class="simple">
|
||
<li><p>Enabling SPAKE preauthentication and setting the
|
||
<strong>disable_encrypted_timestamp</strong> variable to <code class="docutils literal notranslate"><span class="pre">true</span></code> in the
|
||
<a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> subsection of the client configuration.</p></li>
|
||
<li><p>Using an HTTPS proxy as described above, configured in the client’s
|
||
krb5.conf realm configuration. If <a class="reference internal" href="realm_config.html#kdc-discovery"><span class="std std-ref">KDC discovery</span></a> is used to locate a proxy server, an active
|
||
attacker may be able to use DNS spoofing to cause the client to use
|
||
a different HTTPS server or to not use HTTPS.</p></li>
|
||
<li><p>Using FAST as described above.</p></li>
|
||
</ul>
|
||
<p>If <a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT</span></a> or <a class="reference internal" href="otp.html#otp-preauth"><span class="std std-ref">OTP</span></a> are used for
|
||
initial authentication, the principal’s long-term keys are not used
|
||
and dictionary attacks are usually not a concern.</p>
|
||
</section>
|
||
|
||
|
||
<div class="clearer"></div>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
<div class="sidebar">
|
||
|
||
<h2>On this page</h2>
|
||
<ul>
|
||
<li><a class="reference internal" href="#">Addressing dictionary attack risks</a></li>
|
||
</ul>
|
||
|
||
<br/>
|
||
<h2>Table of contents</h2>
|
||
<ul class="current">
|
||
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
|
||
<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
|
||
<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li>
|
||
<li class="toctree-l2 current"><a class="current reference internal" href="#">Addressing dictionary attack risks</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
|
||
</ul>
|
||
</li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
|
||
</ul>
|
||
|
||
<br/>
|
||
<h4><a href="../index.html">Full Table of Contents</a></h4>
|
||
<h4>Search</h4>
|
||
<form class="search" action="../search.html" method="get">
|
||
<input type="text" name="q" size="18" />
|
||
<input type="submit" value="Go" />
|
||
<input type="hidden" name="check_keywords" value="yes" />
|
||
<input type="hidden" name="area" value="default" />
|
||
</form>
|
||
|
||
</div>
|
||
<div class="clearer"></div>
|
||
</div>
|
||
</div>
|
||
|
||
<div class="footer-wrapper">
|
||
<div class="footer" >
|
||
<div class="right" ><i>Release: 1.22.1</i><br />
|
||
© <a href="../copyright.html">Copyright</a> 1985-2025, MIT.
|
||
</div>
|
||
<div class="left">
|
||
|
||
<a href="../index.html" title="Full Table of Contents"
|
||
>Contents</a> |
|
||
<a href="spake.html" title="SPAKE Preauthentication"
|
||
>previous</a> |
|
||
<a href="princ_dns.html" title="Principal names and DNS"
|
||
>next</a> |
|
||
<a href="../genindex.html" title="General Index"
|
||
>index</a> |
|
||
<a href="../search.html" title="Enter search criteria"
|
||
>Search</a> |
|
||
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Addressing dictionary attack risks">feedback</a>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
|
||
</body>
|
||
</html> |