The flaw Purdue University researchers made known last week in Kerberos, the MIT-authored authentication system that guards computer networks, has been corrected, says Jeffrey I. Schiller, MIT network manager and one of the developers of the cryptographic-based Kerberos. The flaw was reported in the Wall Street Journal on February 20.
"The MIT environment today is secure," Mr. Schiller said, and end-users do not have to obtain new versions of Kerberos software. MIT is making its changes to Kerberos freely available outside the Institute, Mr. Schiller said.
Kerberos authenticates network users as they log in without making critical information-passwords, for example-available over the network.
Mr. Schiller said that when reports were heard last week that Kerberos had been "broken," the network staff made a close examination of the software. There are two primary versions of Kerberos, Version 4, the original version, and Version 5, a greatly expanded version which represents the future direction, Mr. Schiller said.
At the heart of most cryptographic systems, including Kerberos, is a random number generator. Attempts to thwart security systems depend on being able to "second-guess" the random numbers being used. The MIT examination of Kerberos revealed that the Version 4 random number generation software was weaker than had been thought. It was this weakness that the Purdue team targeted. The Version 5 random number generator is much stronger.
"In roughly three hours," Mr. Schiller said, "we retrofitted the Version 5 random number generator into the Version 4 Key Distribution Center, fully tested it, and put it in production at MIT."
The problem uncovered by the Purdue researchers can be repaired quickly, Mr. Schiller said. "MIT is making its Version 4 changes available to all sites that have Version 4 Kerberos, both directly and via the Computer Emergency Response Team (CERT) at Carnegie Mellon University." CERT is a government-funded center which monitors Internet security