1.. _dictionary: 2 3Addressing dictionary attack risks 4================================== 5 6Kerberos initial authentication is normally secured using the client 7principal's long-term key, which for users is generally derived from a 8password. Using a pasword-derived long-term key carries the risk of a 9dictionary attack, where an attacker tries a sequence of possible 10passwords, possibly requiring much less effort than would be required 11to try all possible values of the key. Even if :ref:`password policy 12objects <policies>` are used to force users not to pick trivial 13passwords, dictionary attacks can sometimes be successful against a 14significant fraction of the users in a realm. Dictionary attacks are 15not a concern for principals using random keys. 16 17A dictionary attack may be online or offline. An online dictionary 18attack is performed by trying each password in a separate request to 19the KDC, and is therefore visible to the KDC and also limited in speed 20by the KDC's processing power and the network capacity between the 21client and the KDC. Online dictionary attacks can be mitigated using 22:ref:`account lockout <lockout>`. This measure is not totally 23satisfactory, as it makes it easy for an attacker to deny access to a 24client principal. 25 26An offline dictionary attack is performed by obtaining a ciphertext 27generated using the password-derived key, and trying each password 28against the ciphertext. This category of attack is invisible to the 29KDC and can be performed much faster than an online attack. The 30attack will generally take much longer with more recent encryption 31types (particularly the ones based on AES), because those encryption 32types use a much more expensive string-to-key function. However, the 33best defense is to deny the attacker access to a useful ciphertext. 34The required defensive measures depend on the attacker's level of 35network access. 36 37An off-path attacker has no access to packets sent between legitimate 38users and the KDC. An off-path attacker could gain access to an 39attackable ciphertext either by making an AS request for a client 40principal which does not have the **+requires_preauth** flag, or by 41making a TGS request (after authenticating as a different user) for a 42server principal which does not have the **-allow_svr** flag. To 43address off-path attackers, a KDC administrator should set those flags 44on principals with password-derived keys:: 45 46 kadmin: add_principal +requires_preauth -allow_svr princname 47 48An attacker with passive network access (one who can monitor packets 49sent between legitimate users and the KDC, but cannot change them or 50insert their own packets) can gain access to an attackable ciphertext 51by observing an authentication by a user using the most common form of 52preauthentication, encrypted timestamp. Any of the following methods 53can prevent dictionary attacks by attackers with passive network 54access: 55 56* Enabling :ref:`SPAKE preauthentication <spake>` (added in release 57 1.17) on the KDC, and ensuring that all clients are able to support 58 it. 59 60* Using an :ref:`HTTPS proxy <https>` for communication with the KDC, 61 if the attacker cannot monitor communication between the proxy 62 server and the KDC. 63 64* Using FAST, protecting the initial authentication with either a 65 random key (such as a host key) or with :ref:`anonymous PKINIT 66 <anonymous_pkinit>`. 67 68An attacker with active network access (one who can inject or modify 69packets sent between legitimate users and the KDC) can try to fool the 70client software into sending an attackable ciphertext using an 71encryption type and salt string of the attacker's choosing. Any of the 72following methods can prevent dictionary attacks by active attackers: 73 74* Enabling SPAKE preauthentication and setting the 75 **disable_encrypted_timestamp** variable to ``true`` in the 76 :ref:`realms` subsection of the client configuration. 77 78* Using an HTTPS proxy as described above, configured in the client's 79 krb5.conf realm configuration. If :ref:`KDC discovery 80 <kdc_discovery>` is used to locate a proxy server, an active 81 attacker may be able to use DNS spoofing to cause the client to use 82 a different HTTPS server or to not use HTTPS. 83 84* Using FAST as described above. 85 86If :ref:`PKINIT <pkinit>` or :ref:`OTP <otp_preauth>` are used for 87initial authentication, the principal's long-term keys are not used 88and dictionary attacks are usually not a concern. 89