Firewall Wizards mailing list archives

Re: Lotus Domino as an access control to internal network

From: Aleph One <aleph1 () dfw net>
Date: Fri, 6 Mar 1998 13:11:48 -0600 (CST)

On Fri, 6 Mar 1998, Rik Farrow wrote:

I am talking about using Notes as an agent for guessing a 
users password, and suggesting that this password will also be used
anywhere the user has access within an organization:  terminal
servers, not connected to the Domino server, other servers
such as Netware or NT servers.  Notes makes a dandy and  practically
undetectable mechanism for password guessing, and the password
guessed very likely will be in use elsewhere.


I see where you comming from now. Do note that there is no way for Notes
to prevent this. Even if the Notes client or server software tracked bad
login attempts and disabled accounts when a threshold is reached the
attacker could write custom software that attempted to guess the password
off-line as long as he has the USER.ID file and he can recognize when the
USER.ID file has been decrypted correctly.

This is a feature of all applications and protocols that use passwords to
protect secret keys. The same thing applies to your web based certificates
and other such instruments as Peter Gutmann's work in cracking Internet
Explorer PKCS-12 key files show.

It goes even deeper than that. You can crack off-line c/r protocols such as
Microsoft's (see L0phtcrack), Kerberos's encrypted tickets, or even
standard unix passwords.

The similarity between all this cases is that the attacker has enough
information (either the encrypted ticket, encrypted certificate, the
challenge response, the password hash, etc) to mount an off-line attack and
verify when the attack has successed.

The only reason that Notes is more tempting for an attacker to
brute force in your example is because you are assuming that the attacker
has obtained access to the USER.ID file, but to obtain that file you must
also assume that attacker has gotten access to the user's laptop at which
point he can just as easily access the .PWL files (in Windows 95's case)
or the SAM database (in Windows NT's case), both of which you can attack
by brute force just as easily (more easily?) than the USER.ID file.

The are a few protocols that don't have this draw back. The one I been
looking at lately is Secure Remote Password (SRP) developed at Stanford
by Tom Wu. It looks like a wonderful protocol (then again I am no
cryptographer so my opinion is not worth much)  based in zero-knowledge
and does not require the client or server to maintain any secret
information in storage.

http://srp.stanford.edu/srp/

Regards,
Rik


Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Current thread:

Re: Lotus Domino as an access control to internal network Andreas Siegert (Mar 02)
- <Possible follow-ups>
- Re: Lotus Domino as an access control to internal network Rik Farrow (Mar 06)
  - Re: Lotus Domino as an access control to internal network Aleph One (Mar 06)
- Re: Lotus Domino as an access control to internal network Rik Farrow (Mar 06)
  - Re: Lotus Domino as an access control to internal network Aleph One (Mar 06)