[4897] in Kerberos
Re: Proposal for a SmartCard-Kerberos Implementation
daemon@ATHENA.MIT.EDU (Donald T. Davis)
Fri Mar 31 16:25:11 1995
From: "Donald T. Davis" <don@cam.ov.com>
To: kerberos@MIT.EDU
Date: Fri, 31 Mar 1995 16:10:19 -0500
securID codes are not suitable by themselves for use as encryption
keys, because with an 8 digit display, or even with a few digits
of PIN added, they're too short to prevent exhaustive key-search.
-don davis, boston
}john@iastate.edu (John Hascall) writes:
}>Kenneth D. Renard <kdrenard@arl.mil> wrote:
}>}Below is a proposal for a SmartCard-Kerberos implementation. ...
}>} 1. Send SecurID code to kinit process.
}>} 2. Kinit sends request to KDC with plaintext SecurID code.
}>} 3. KDC verifies SecurID code and generates TGT encrypted in host-key.
}>} 3.5. TGT traverses network from KDC to kinit encrypted in host-key.
}>} 4. Kinit decrypts TGT with host-key found in v5srvtab.
}> Rather than having a srvtab on the host, why not have the host
}> also run the "secure-ID" algorithm (with its own secret seed)?
}>
}> 1) user enters secure-ID code (for example, via unencrypted telnet)
}> 2) host kinit process received user secure-ID code forwards to KDC
}> 3) KDC verifies user secure-ID code, constructs TGT encrypted in
}> hosts secure-ID code, sends to host
}> 4) host generates secure-ID code, uses to decrypt TGT
------- End of Forwarded Message