[527] in Kerberos
Re: Ticket Authentication
daemon@TELECOM.MIT.EDU (Ted Anderson)
Fri Nov 4 11:12:04 1988
From: Ted Anderson <ota+@ANDREW.CMU.EDU>
To: miller%erlang.DEC@DECWRL.DEC.COM (Steve Miller), kerberos@ATHENA.MIT.EDU
In-Reply-To: <8811021547.AA02650@decwrl.dec.com>
When I was looking at variations on block chaining I considered something like
this but it seems dangerous to put the clear text one XOR from the data that
goes out over the wire. A compromise of any piece of cleartext may allow an
attack to discover certain cipher text blocks which could then be used to reveal
clear text in a different message. This is a little fuzzy but it just seemed
like a bad idea.
The important concern about the redundency of tickets is that there are large,
easily located areas of the ticket that have very low redundency (ie the name
and instance). These would make relatively easy targets for insertion attacks.
The checksum I favor is a two byte variant on the quad cksum which should be
quite cheap to implement. It costs roughly a 16x16 bit multiply and a modulus
operation per byte. This seems to run an order of magnitude faster an a single
DES so it should be a performance problem. A checksum like this has the
advantage that it protects you against any current or future problems with cbc
or its variants.
Ted Anderson
