[ Last changed: 20th March 1997 ]
The `Internet Worm' exploited poorly chosen passwords to gain access to a very large number of computers; the UNIX password system is known to be weak against guessing attacks. It is less well known that many, if not most, authentication protocols are also subject to similar guessing attacks.
Several years ago a group of us (Li Gong, Jerry Saltzer, Roger Needham, and myself) proposed a technical solution to this problem. Our solution has been adopted by some, but not all, designers of cryptographic protocols.
I intend to demonstrate how one might break the schemes that did not adopt our suggestions. In particular I shall show how to break `C2 secure' SunOS, NFS, and Kerberos. I'll also show how these schemes may be changed to protect against such attacks.