ad-assurance - [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos
- Date: Mon, 17 Jun 2013 21:18:32 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none
Hopefully you can find my replies amongst the inline text… From: [mailto:]
On Behalf Of Eric Goodman The Kerberos encryption types can be configured for AES, but the problem comes in when the RC4-HMAC (or ARCFOUR-HMAC) encryption type is used. I don’t really know if it can be safely removed or if that would break
something. See note at bottom for an example. Right, AES (which I interpret as equivalent to “Kerberos Armoring”) is an approved algorithm; however, it requires a uniformity of OS levels (I thought it was Win8+, but your statements below imply Vista+) that
may or may not be realistic at each campus. This is an open question for discussion with Microsoft. ***I understood the Kerberos Armoring to be the “FAST” update to the Kerberos protocol. For securing the authentication traffic, with sufficiently high entropy (at the Silver level) the Kerberos protocol may be resistant to the eavesdropping and replay attacks. I still object to using entropy (or at least entropy at the order of magnitude required by Silver) as an argument of resistance to anything but brute forcing passwords. With encryption mechanisms that are attackable
through non-brute force methods (i.e., statistical attacks; which is where my understanding* is that RC4 is weak), I’m not clear entropy of the password has any direct impact on the security of the password.
I’m not arguing whether it is sufficiently resistant to the attacks, just about the use of 2^30ish level of entropy as justifying resistance in this case. *** This goes back to SP 800-63-1 where Kerberos is deemed acceptable
for password-based-key-derivation if sufficient entropy is employed specifically related to brute-force off-line guessing i.e. “When
Kerberos authentication is based on passwords, the protocol is known to be vulnerable to off-line dictionary attacks by eavesdroppers who capture the initial user-to- KDC exchange. Longer password length and complexity provide some mitigation to this vulnerability,
although sufficiently long passwords tend to be cumbersome for users. ”
--- per our discussions we had said perhaps 12 character would meet “on the order of 280 resistance”. That leaves some question about 8 or 9 characters, which can meet Silver entropy.
As a side note, I am not sure AD:DS even complies with InCommon Bronze because 4.2.3.4 is applicable for Bronze AND Silver. However, we don’t mention anything about Bronze in the cookbook. I believe you’re looking at an older IAP/IAAF here. In v1.2, 4.2.3.4 and 4.2.3.6 are Silver only. The only Bronze requirement here is: 4.2.3.5 (B) BASIC PROTECTION OF AUTHENTICATION SECRETS 1. Authentication Secrets shall not be stored as plaintext. Access to stored Secrets and to plaintext copies shall be protected by discretionary access controls that limit access to administrators
and applications that require access. 2. Plaintext passwords or Secrets shall not be transmitted across a network. *** I should have checked first. Good catch! That means someone is paying attention.
J I must have
been thinking of 4.2.5 (Authentication Process) that applies to both. Which is arguably met even by LMHASHES.
--- Eric *Beware reading too much accuracy into my understanding of cipher suites. From:
[]
On Behalf Of Capehart,Jeffrey D Some of the recommendations in the revised cookbook are for configuring to meet, and some require an alternative means proposal. We have been looking at the stored authentication secrets as not meeting the criteria because of no variable salting and not using approved algorithms. Although I don’t think it would be possible to eliminate the NTLM “hash” from Active Directory, the Kerberos V5 side of AD:DS seems capable of meeting the requirements. The Kerberos encryption types can be configured for AES, but the problem
comes in when the RC4-HMAC (or ARCFOUR-HMAC) encryption type is used. I don’t really know if it can be safely removed or if that would break something. See note at bottom for an example. There had been some discussion about doing a Kerberos section that could apply perhaps to both MIT-Kerberos V5 and AD:DS Kerberos V5 for both
Encrypting Passwords at Rest (4.2.3.4 etc.) and Securing Authentication Traffic (4.2.3.6 etc). According to the V5 protocol, each key is variable salted, and encryption types can be controlled to restrict
them to only approved algorithms. This would meet the stored authentication secrets requirement without requiring encrypting the hard drive with Bitlocker. For securing the authentication traffic, with sufficiently high entropy (at the Silver level) the
Kerberos protocol may be resistant to the eavesdropping and replay attacks. However, the cookbook says that Kerberos armoring is needed. As a side note, I am not sure AD:DS even complies with InCommon Bronze because 4.2.3.4 is applicable for Bronze AND Silver. However, we don’t mention anything about Bronze in the cookbook. - Jeff Vista and Windows Server 2008 clients are unable to access cluster names with AES-encrypted Kerberos tickets http://support.microsoft.com/kb/961302 ·
Windows Vista introduced support for AES-encrypted Kerberos tickets, 128-bit and 256-bit ·
AES encryption cannot be used for Kerberos negotiation with cluster names; only up to RC4-HMAC is supported. Jeff Capehart, CISA |
- [AD-Assurance] Cookbook items - RC4-HMAC and Kerberos, Capehart,Jeffrey D, 06/17/2013
- [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos, Eric Goodman, 06/17/2013
- [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos, Capehart,Jeffrey D, 06/17/2013
- [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos, Eric Goodman, 06/17/2013
- [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos, Capehart,Jeffrey D, 06/17/2013
- [AD-Assurance] RE: Cookbook items - RC4-HMAC and Kerberos, Eric Goodman, 06/17/2013
Archive powered by MHonArc 2.6.16.