alt Hacker NewsMicrosoft will finally kill obsolete cipher that has wreaked decades of havoc
Comments
Given the time it's been since deprecated, I'm assuming most older versions of Windows since 2000 and Samba have long since supported more secure options... though from some comments even the more secure options are relatively weak by today's standards as well.
Aside: still hate working in orgs where you have a password reset multiple times a year... I tend to use some relatively long passphrases, if not the strongest possible... (ex: "ThisHasMyNewPassphrase%#23") I just need to be able to remember it through the first weekend each time I change without forgetting the phrase I used.
How did RC4 become so widespread when it came from a leak? Additionally, why was it the de facto standard stream cipher in the 90s, even though it was known to be flawed? Just the speed?
Reasonable! Anyone who cares about AD security has been AES-only for at least a year now, and most likely much longer, and it's not like these mitigations are especially hard, unless you're still running some seriously obsolete software.
What's the use case of a stream cipher when AES can be turned into a stream with a little XOR-ing?
The common asrep roast kerberos etype I see now is aes/18 (https://www.iana.org/assignments/kerberos-parameters/kerbero...).
I was looking at this guy's benchmark here: https://gist.github.com/Chick3nman/32e662a5bb63bc4f51b847bb4...
Etype 23 (rc4-hmac) gets ~3500 kH/s, 18 (aes256-cts-hmac-sha1-96) gets roughly 2500 kH/s. Big difference, but somehow I thought it would be much bigger? 2.5M guesses/second is still not so bad.
I've done kerberoasting and aseproasting a handful of times only, but from what I recall, RC4 can be cracked within reasonable time regardless of your password complexity. But with AES if you have a long and complex service account password, it will take decades/centuries to crack. But (!!) it is still quite common to use relatively weak passwords for service accounts, a lot of times the purpose of the service is included in the password so it makes guessing a bit easier.
My criticism is that Kerberos (as far as I'm aware) does not provide modern PBKDFs (keyed argon2?) that have memory-hardness in place. That might be asking too much, so why doesn't Microsoft alert directory administrators (and security teams) when someone is dumping tickets for kerberoasting by default? It's not common for any user or service to request for tickets for literally all your service accounts. Lastly, Microsoft has azure-keyvault in the cloud, but they're so focused on cloud, they don't have an on-prem keyvault solution. If a service account is compromised, you still have to find everything that uses it and change the password one by one. Where if there was a keyvault-like setup, you could more easily change passwords without causing outages.
Rotating the KDC/krbtgt credential is also still a nightmare.
From what bits I've heard, Microsoft expects its users to be using EntraId instead of on-prem domains (computers joined directly to entra-id instead of domain controllers). That's a nice dream, but in reality 20 years from know there will still be domain controllers on enterprise networks.
Microsoft does not have the power to stop me from using this cipher.
"RC4, short for Rivist Cipher 4". No, "Ron's Code 4".
And the default will now be AES-SHA1, where SHA-1 is to be deprecate by NIST in 2030. (https://www.nist.gov/news-events/news/2022/12/nist-retires-s...)
Author D.Goodin... ok,we know it's wrong. Just how badly wrong takes effort to discover.
There are so many problems with this article and the previous one it references (How weak passwords and other failings led to catastrophic breach of Ascension).
Specifically, RC4 is a stream cipher. Yet, much of the discussion is around the weakness of NTLM, and NTLM password hashes which use MD4, a hash algorithm. The discussion around offline cracking of NTLM hashes being very fast is correct.
More importantly though, the weakness of NTLM comes from a design of the protocol, not a weakness with MD4. Yes MD4 is weak, but the flaws in NTLM don't stem specifically from MD4.
Dan Goodin's reporting is usually of high quality but he didn't understand the cryptography or the protocols here, and clearly the people he spoke to didn't help him to understand.
EDIT: let me be more clear here. MS is removing RC4 from Kerberos, which is a good thing. But the article seems to confuse various NTLM authentication weaknesses and past hacks with RC4 in Kerberos.