What Kerberos Doesn’t Do

Kerberos doesn’t solve denial of service attacks. These protocols have places in which an intruder can prevent an application from participating in the proper authentication steps. Detection and solution of such attacks, some of which can appear to be common failure modes for the system, usually is best left to the human administrators and users. Principals must keep their secret keys secret. If an intruder somehow steals a principal’s key, the villain can masquerade as that principal or impersonate any server to the legitimate principal.

Kerberos doesn’t solve password-guessing attacks. If a user chooses a poor password, an attacker can successfully mount an off-line dictionary attack. The attacker attempts to decrypt repeatedly, employing successive entries from a dictionary, messages encrypted under a key derived from the user’s password.

Kerberos is also vulnerable to clock synchronization attacks. Each host on the network must have a clock “loosely synchronized” to the time of the other hosts. This synchronization serves to reduce the bookkeeping needs of application servers when they perform replay detection.

The degree of “looseness” can be configured per server. If the clocks are synchronized over the network, the clock synchronization protocol must itself be secured from network attackers.

Principal identifiers should not be recycled. A typical mode of access control uses Access Control Lists to grant permissions to particular principals. An Access Control List is attached to any object that requires restricted access. The list should consist only of principal identifiers, although group identifiers are usually allowed. When a user wants to make use of the object, the operating system checks the Access Control List. If the user is listed as an authorized principal, access is granted. If a stale list entry remains for a deleted principal and the principal identifier is reused, the new principal inherits rights specified in the stale entry. Not reusing principal identifiers erases the danger of inadvertent access. Kerberos does not at this time coordinate or manage Access Control Lists. This entire problem is referred to as object reuse. Any system that wants to be government security certified must control object reuse and prevent it from occurring.