Access Denied: Using Passwords with Kerberos

In upgrading the last of our pre­Windows 2000 computers for security reasons, we want to address the cracking of user passwords by possible eavesdroppers on the network who could sniff and crack Windows NT LAN Manager (NTLM) authentication packets. In a pure Win2K network that uses Active Directory (AD) domain accounts, Kerberos replaces NTLM to eliminate the risks associated with NTLM authentication. However, someone claimed that Kerberos is also vulnerable to sniffing and subsequent cracking. Is that true? If it is, how can we avoid the problem?

Any protocol can be sniffed. Kerberos's overall design and use of encryption and hashing technology makes it less vulnerable than NTLM to sniffing. However, Kerberos ultimately bases its ticket encryption on the security principal's key (i.e., the user's password), so weak passwords expose Kerberos to cracking.

Kerberos-cracking software is readily available on the Internet. Arne Vidstrom's KerbCrack, for example, uses a word list and brute force to provide sniffing and cracking functionality. KerbCrack can process a word list in a few seconds and a brute-force attack that uses a restricted character set in a matter of hours. As long as we use passwords, we'll need to keep them complex and avoid the use of words or other simple patterns. A fully switched network reduces the risk of someone capturing Kerberos credentials from a network drop, but switches can be tricked into rerouting traffic, and switches don't prevent network administrators from sniffing Kerberos or any other traffic from the switch itself.

If your company is willing to deploy smart cards, you can eliminate passwords from your AD domain. When a user authenticates through a smart card, Win2K automatically switches to PKINIT mode. PKINIT is a Kerberos extension that bases initial authentication on the certificate for the user whose private key is stored on the smart card. It protects all Kerberos exchanges with at least 128 bits of entropy and effectively eliminates cracking risks from today's technology.

If smart cards aren't an option, you'll need to rely on written and configured policies. Require a password at least seven characters long, and require complex passwords (e.g., passwords that include characters from at least three of four character sets—a­z, A­Z, 0­9, symbols). You can configure both these options in the Default Domain Policy Group Policy Object's (GPO's) Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword Policy folder. If you use this configuration, an attacker who has a 1.5GHz Pentium processor would need as much as a year to brute force every possible character set. If you bump the password to eight characters that come from the a­z, A­Z, and 0­9 character sets, an attacker with 1 processor could spend as many as 67 years cracking the password; someone with 100 processors at his or her disposal 24 x 7 could spend as long as 8 months.

Lockout policy provides no protection for offline cracking attacks, but having a good password policy and requiring password changes every few months helps you defend against cracking attempts. For example, if you require passwords to consist of at least seven characters drawn from the a­z, A­Z, and 0­9 character sets and require users to change their passwords every 60 days, the passwords would change before the attacker had worked through a quarter of the problem set. In conjunction with your domain's password policy, get management to back a written password policy that addresses the need for hard-to-guess passwords. Until you can upgrade everyone's computer to Win2K or later, you might want to implement NTLMv2—a "bandage" for NTLM that strengthens network authentication and defeats the current version of @stake's L0phtCrack.