[2023] in Kerberos
Re: What types of applications have been Kerberized? contd....
daemon@ATHENA.MIT.EDU (Li Gong)
Wed Jul 1 16:25:28 1992
Date: Wed, 1 Jul 1992 13:43:36 GMT
From: li@oracorp.com (Li Gong)
To: kerberos@shelby.Stanford.EDU
In bagate!socrates!bf4grjc (Ravi Ganesan (301) 595-8439) writes:
>Good point. However, from a real world perspective I do not see cleartext
>problems as THE major problem (notice I did not say A major problem). Password
>guessing, password sharing (intentional/unintentional) is the much bigger
>problem. This is orthogonal to the problems Kerberos attacks (though with
>the proposed public-key extensions (simultaneously suggested by AT&T Bell
>Labs and Bellcore) dictionary attacks can be reduced).
Any more details on this extension? Who in Bellcore is working on
this? I know of the paper by Bellovin and Merritt (of Bell Labs). By
the way, the extensions suggested by the following paper will
*eliminate* the possibility of password-guessing, and I understand
that the Kerberos people were among the first to be informed of this
scheme back in the spring of 1989. Note that the title says
"reducing* risks since guessing is just one risk.
T.M.A. Lomas, L. Gong, J.H. Saltzer, and R.M. Needham, ``Reducing
Risks from Poorly Chosen Keys'', in Proceedings of the 12th ACM
Symposium on Operating System Principles, Litchfield Park, Arizona,
December, 1989, pp.14-18. Published as {\em ACM Operating Systems
Review}, Vol.23, No.5.
Li
--
Li GONG, PhD | Email : li@oracorp.com
ORA Corporation | Fax : 607-277-3206
301A Dates Drive | Switch : 607-277-2020
Ithaca, New York 14850, USA | Direct : 607-272-0736 (dial 217 on tone)
