Money and Investi ng Update Navigation to other Update sections Tuesday, February 20, 1996 Major Flaw in Internet Security System Is Discovered by Two Purdue Students By JARED SANDBERG Staff Reporter of The Wall Street Journal Two Purdue University students discovered a major flaw in a well-regarded Internet security system used by financial institutions, government agencies and universities, giving another black-eye to electronic commerce. The flaw found in the widely used Kerberos software developed 10 years ago by the Massachusetts Institute of Technology, International Business Machines Corp. and Digital Equipment Corp., could allow a hacker to penetrate corporate networks in about 5.8 seconds. The hacker could read confidential mail, access private files under certain circumstances and masquerade as an authorized user. The flaw was first identified by a Purdue graduate student, Steven Lodin, when, in October, news of two Berkeley students' discovery of a Netscape software flaw came to light. With the help of Bryn R. Dole, Mr. Lodin broke into the Kerberos software. Almost identical to that flaw, the software generates a random number, which it uses to construct a private electronic key. But, then as now, the random number isn't so random. Of the 70 quadrillion possible numbers to generate the key, the earlier version of Kerberos constructs the key from a much smaller selection of about a million numbers, making it easier for computers to guess the key. "Once you know it's there, it's really trivial to exploit," said Eugene Spafford, associate professor of computer sciences at Purdue, where it took one student an afternoon to effectively pick the software lock. Today's more powerful computer workstations are capable of many more code-breaking calculations than the machines of 10 years ago. That has made robust electronic-security methods, such as Kerberos, already an art form among security experts, even more difficult to achieve. In August, a French student at the Ecole Polytechnique used more than 100 high-performance workstations to break the relatively weak security "key" that the U.S. government forces Netscape Communications Corp. to use in its Internet software. Months later, two students at Berkeley discovered a new flaw in Netscape software -- a move that prompted the company to institute a program that awards the founders of security flaws a cash prize. Jeffrey I. Schiller, one of the developers of Kerberos and network manager at MIT, acknowledged the flaw, but said that even if it were corrected, the government standard on which it is based is "at risk" considering the strength and lower cost of today's high-performance computers. "Ten years ago, bad guys couldn't afford the same kind of computer that a bank would have," he said. Mr. Schiller said that MIT software engineers have known since 1986 about the problem, which exists in Kerberos 4.0, and fixed it in the subsequent version. Though no one knows how many people use the software, it's given away for free by MIT. Companies including Cygnus Support and Transarc Inc. still sell the faulty version. "It's not life threatening, but it has to get fixed and it has to get fixed now," said Mr. Schiller, who notified the Computer Emergency Response Team, a government funded center that monitors Internet security vulnerabilities. The center is expected to issue a warning about the problem this week. "It's a significant problem," said William R. Cheswick, security researcher at Bell Laboratories, a unit of Lucent Technologies Inc. "People don't use Kerberos unless they really have something they want to protect. It's not a flaw on a car door lock, it's a flaw on the bank vault lock," he said. Cygnus Support, a Mountain View, Calif., company, said it independently found and fixed the flaw. Cygnus said it is in the process of converting its users to Version 5 of the product, which is not as vulnerable to an attack like the one done at Purdue. Clifford Neuman, a University of Southern California scientist who was one of the principal designers of Kerberos, believes most large companies have moved to the safer version already. "I would not consider it all that significant," he said of the flaw. -- Don Clark contributed to this article _________________________________________________________________ [LINK] [LINK] [LINK] [LINK] _________________________________________________________________ Navigation to Help and other Resources Copyright © 1996 Dow Jones & Company, Inc. All Rights Reser ved.