[3898] in Kerberos
re: Digital Pathways SNK
daemon@ATHENA.MIT.EDU (Chris Gorsuch)
Thu Sep 22 14:10:58 1994
Date: Thu, 22 Sep 1994 12:56:05 -0500
From: chrisg@lobby.ti.com (Chris Gorsuch)
To: kerberos@MIT.EDU
It was mentioned at a previous IETF conference (seatle?) and someone
from OCSG said they would take a look at it. Having spent a few weeks
writing code compatible with SNK cards, I sent him instructions on how
the cards work. Whether those changes were ever rolled in is another
matter. I don't have the name handy, but maybe they can give us an
update? I have only half looked at how to actually incorporate the cards
into Kerberos, it could be handled several ways. However, the code
to interface with the cards is trivial.
step 1: make sure your password after being mangled (parity checked)
by your des code, matches the password stored in your SNK
step 2: Encrypt an 8 character string with your DES library
step 3: display the output in hex (now 16 characters) and throw away the
last 8.
step 4: encrypt the same string with your SNK and verify that they match.
Plus, since they are throwing away 8 (hex representation) characters with
the card, it is useless as an encryption engine and thus exportable (check
with them for necessary licenses...).
With kerberos what you might do is give the user a counter and a card, the
first time they log on, their ticket will be encrypted with
E[Esnk(counternumber)](ticket).
that is, encrypt your counter number with your card, it will display 8
characters, decrypt your ticket with those 8 characters. update your counter.
Warning: this runs into problems with counter being out of synch. It would
be much nicer if there was a way to have the challenge accompany the ticket.
This may be possible, I haven't examined kerberos's finer options to see if
it is possible.
Security Warning: This reduces your key space significantly since only the
characters 0..9 a..f can be used as keys. This example was meant mostly to
explain the usage of the cards, and not to suggest this be used as a secure
system.
Chris Gorsuch
Information Security
Texas Instruments
