[4897] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Proposal for a SmartCard-Kerberos Implementation

daemon@ATHENA.MIT.EDU (Donald T. Davis)
Fri Mar 31 16:25:11 1995

From: "Donald T. Davis" <don@cam.ov.com>
To: kerberos@MIT.EDU
Date: Fri, 31 Mar 1995 16:10:19 -0500

securID codes are not suitable by themselves for use as encryption
keys, because with an 8 digit display, or even with a few digits
of PIN added, they're too short to prevent exhaustive key-search.

						-don davis, boston

}john@iastate.edu (John Hascall) writes:
}>Kenneth D. Renard  <kdrenard@arl.mil> wrote:
}>}Below is a proposal for a SmartCard-Kerberos implementation. ...
}>}	1. Send SecurID code to kinit process.
}>}	2. Kinit sends request to KDC with plaintext SecurID code.
}>}	3. KDC verifies SecurID code and generates TGT encrypted in host-key.
}>}	3.5. TGT traverses network from KDC to kinit encrypted in host-key.
}>}	4. Kinit decrypts TGT with host-key found in v5srvtab.

}>     Rather than having a srvtab on the host, why not have the host
}>     also run the "secure-ID" algorithm (with its own secret seed)?
}>
}>     1) user enters secure-ID code (for example, via unencrypted telnet)
}>     2) host kinit process received user secure-ID code forwards to KDC
}>     3) KDC verifies user secure-ID code, constructs TGT encrypted in
}>        hosts secure-ID code, sends to host
}>     4) host generates secure-ID code, uses to decrypt TGT



------- End of Forwarded Message


home help back first fref pref prev next nref lref last post