[4895] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Proposal for a SmartCard-Kerberos Implementation

daemon@ATHENA.MIT.EDU (John Hascall)
Fri Mar 31 08:13:20 1995

To: kerberos@MIT.EDU
Date: 31 Mar 1995 12:51:03 GMT
From: john@iastate.edu (John Hascall)

Kenneth D. Renard  <kdrenard@arl.mil> wrote:
}Unfortunately, this opens the vulnerability of the Sandia algorithm that I
}was trying to avoid.  A sniffer could capture the SecurID code via the
}unencrypted telnet and sniff the AS_REP and decrypt the TGT.

    Nope.  Note that there are *2* SecureID codes used.

John

}john@iastate.edu (John Hascall) writes:
}>Kenneth D. Renard  <kdrenard@arl.mil> wrote:
}>}Below is a proposal for a SmartCard-Kerberos implementation. ...
}>}	1. Send SecurID code to kinit process.
}>}	2. Kinit sends request to KDC with plaintext SecurID code.
}>}	3. KDC verifies SecurID code and generates TGT encrypted in host-key.
}>}	3.5. TGT traverses network from KDC to kinit encrypted in host-key.
}>}	4. Kinit decrypts TGT with host-key found in v5srvtab.

}>     Rather than having a srvtab on the host, why not have the host
}>     also run the "secure-ID" algorithm (with its own secret seed)?
}>
}>     1) user enters secure-ID code (for example, via unencrypted telnet)
}>     2) host kinit process received user secure-ID code forwards to KDC
}>     3) KDC verifies user secure-ID code, constructs TGT encrypted in
}>        hosts secure-ID code, sends to host
}>     4) host generates secure-ID code, uses to decrypt TGT
-- 
John Hascall                   ``An ill-chosen word is the fool's messenger.''

Systems Software Engineer, ISU Comp Center  +  Ames, IA  50011  +  515/294-9551

home help back first fref pref prev next nref lref last post