[4959] in Kerberos
Re: Kerberos vs Radius
daemon@ATHENA.MIT.EDU (Joe Kovara)
Mon Apr 10 20:45:10 1995
To: kerberos@MIT.EDU
Date: Mon, 10 Apr 1995 16:57:26 -0700
From: Joe Kovara <joek@kerby.ocsg.com>
On 10 Apr 1995, Ravi Ganesan wrote:
> Bob Gassen: You mention 'single logon' and login+kinit. We
> can assume that this handles the spoofing attack using
> some sort of "workstation service key'. Correct?
(I'll take the liberty of answering that for Bob.)
Correct. CyberSAFE's implementation is NOT open to the spoofing attack.
(And thanks for bringing this up; it's something a lot of people don't
seem to be aware of.) For the uninitiated, this is referenced in the
Kerberos RFC 1510 (Sep. '93), sec. 3.1.5, pp. 19-20: "Proper decryption
of the KRB_AS_REP message is not sufficient to verify the identity of the
user;..."
Joe Kovara / Product Development Manager / CyberSAFE / joek@cybersafe.com