informa
/
Risk
News

Flawed Deployments Undermine Kerberos Security

Sure, you have Kerberos, but are you secure? Researchers find practical problems that can weaken secure authentication
Significant weaknesses in the common configuration of Kerberos-based authentication servers could allow attackers to more easily circumvent security measures in networks that rely on the open authentication standard, according to recent research presented by consultants at the recent Black Hat USA 2010 conference.

The researchers found several common configuration problems that could allow attackers to significantly weaken the security that Kerberos provides.

Companies typically use Kerberos in Microsoft Active Directory environments or in large university Unix or Linux networks that allow users to access various network resources after authenticating to a central server. An active attacker could cause an authentication server to downgrade the data encryption, or etype, used for exchange of the authenticator, says Scott Stender, co-founder and principal consultant with iSEC Partners and one of the report's authors.

"The downgrade of etypes lets you downgrade to an encryption algorithm that you can brute-force," Stender says.

Kerberos version 4 was hard-coded to use the Data Encryption Standard (DES), a 64-bit block cypher that is no longer considered a strong form of encryption because -- among other reasons -- only 56 bits provide meaningful security. While the latest version of the authentication protocol, Kerberos version 5, allows any suitable cryptographic primitive, attackers can functionally prevent the authentication system from using the more secure Advanced Encryption Standard (AES).

While DES suited the security requirements of companies for many years, successive software and hardware breakthroughs have made brute-forcing the encryption standard easy. Earlier this year at the Black Hat DC conference, Seattle-based high-performance computer maker Pico Computing demonstrated a specialized computer that could process more than 280 billion DES keys per second. At that speed, a DES key could be broken in less than three days.

The most recent Kerberos versions have fixed the issue, but a majority of deployments do not benefit from the changes -- or explicitly allow users to downgrade to DES for compatibility reasons, Stender says.

"In the Windows world, there are defaults that determine everything -- and up until the latest version, the defaults are insecure," Stender says. Both Windows 2008 and Windows Vista allow downgrading to the DES etype, he observes. MIT Kerberos version 1.7 and below will accept DES etypes.

Authentication systems require a lot of effort to maintain and update, so many companies tend to deploy them in their most permissive mode and then fail to tweak the security of the system, says Martin Hack, executive vice president of remote-access software maker NCP Engineering.

"Unfortunately, a lot of customers believe that once you install it, your job is done -- that is not true," Hack says.

In an advisory (PDF) released in late August, iSEC Partners recommended that companies review the configurations of any Kerberos-based authentication servers and disable the acceptance of DES-based authenticators. Before changing the configuration, however, administrators will have to reissue certificates to all domain controllers, the advisory warns.

The ability to downgrade authentication to weaker encryption is not the only Kerberos flaw identified by iSEC researchers. The firm also identified a flaw in default Windows deployments that affects companies using smart cards to log into their authentication servers.

"There was actually a pretty substantial privilege of escalation capability for servers supporting smart cards," says Brad Hill, a consultant at iSEC and co-author of the work. "In some of the early versions of Windows 2000 -- before the standard was finalized -- there were some inconsistencies in how the validation is done, so we were able to create an exploit."

In its advisory, iSEC also recommends that companies limit the number of users who can add a system to a domain, which could help prevent exploitation of the smart-card-authentication flaw. Overall, companies can mitigate the risks of attacks on their authentication server with some relatively simple configuration changes, iSEC's Stender says.

"We are pretty happy with the fact that we could find a configuration change to solve these problems," Stender says. "Everything we found can be addressed with an upgrade and a configuration change."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Amichai Shulman, CTO and Co-founder of AirEye
Biagio DeSimone, Enterprise Solution Architect, Aqua Security