Connected: An Internet Encyclopedia
1.2. Environmental assumptions
Up:
Connected: An Internet Encyclopedia
Up:
Requests For Comments
Up:
RFC 1510
Up:
1. Introduction
Prev: 1.1. Cross-Realm Operation
Next: 1.3. Glossary of terms
1.2. Environmental assumptions
1.2. Environmental assumptions
Kerberos imposes a few assumptions on the environment in which it can
properly function:
- "Denial of service" attacks are not solved with Kerberos. There
are places in these protocols where an intruder intruder can
prevent an application from participating in the proper
authentication steps. Detection and solution of such attacks
(some of which can appear to be not-uncommon "normal" failure
modes for the system) is usually best left to the human
administrators and users.
- Principals must keep their secret keys secret. If an intruder
somehow steals a principal's key, it will be able to masquerade
as that principal or impersonate any server to the legitimate
principal.
- "Password guessing" attacks are not solved by Kerberos. If a
user chooses a poor password, it is possible for an attacker to
successfully mount an offline dictionary attack by repeatedly
attempting to decrypt, with successive entries from a
dictionary, messages obtained which are encrypted under a key
derived from the user's password.
- Each host on the network must have a clock which is "loosely
synchronized" to the time of the other hosts; this
synchronization is used to reduce the bookkeeping needs of
application servers when they do replay detection. The degree
of "looseness" can be configured on a per-server basis. If the
clocks are synchronized over the network, the clock
synchronization protocol must itself be secured from network
attackers.
- Principal identifiers are not recycled on a short-term basis. A
typical mode of access control will use access control lists
(ACLs) to grant permissions to particular principals. If a
stale ACL entry remains for a deleted principal and the
principal identifier is reused, the new principal will inherit
rights specified in the stale ACL entry. By not re-using
principal identifiers, the danger of inadvertent access is
removed.
Next: 1.3. Glossary of terms
Connected: An Internet Encyclopedia
1.2. Environmental assumptions