[5669] in Kerberos
Re: authentication secure?
daemon@ATHENA.MIT.EDU (Art Houle)
Fri Aug 11 09:21:54 1995
Date: Fri, 11 Aug 1995 09:11:18 -0400 (EDT)
From: Art Houle <houle@acns.fsu.edu>
To: Sam Hartman <hartmans@MIT.EDU>
Cc: Joe Beiter <jwb@wilbur.hhisland.com>, kerberos@MIT.EDU
In-Reply-To: <199508101621.MAA19001@tertius.mit.edu>
On Thu, 10 Aug 1995, Sam Hartman wrote:
stuff deleted....
> * User dials into router over telephone line, uses Kerberos to
> authenticate, typing their password when the router prompts. The KDC
> exchange between the router and the Kerberos server is encrypted (at
> least, the interesting parts), but the conversation between the modem
> and phone line is *not* encrypted. This means that if I tap the phone
^^^^^^^^^^^^^
> line, or something, I get the password. This is probably somewhat
> secure; it depends on how much you trust your phone lines, and on
> whether it is really phone lines involved instead of some other system
> connected to a protocol translator or something.
>
'tap the phone line..'
That is an interesting point of exposure. If this was a voice
transaction that would be simple. Since modems negotiate the modulation
scheme, it seams that connecting to the pair of wires is the easiest part
of this. Setting up a listening modem for the correct modulation scheme
would require some archane knowledge and tools that few hackers have
access to. As someone who has hardware and software background, I see
this as the hardest part. Unless I work for a modem manufacturer, or am
willing to wirewrap my own hardware, this seems beyond the normal modems
capabilities.
..comments?
As once mentioned in a security lecture on kerberos , the easier
solution is to bribe someone.
Art Houle e-mail: houle@acns.fsu.edu
Academic Computing & Network Services Voice: 644-2591
Florida State University FAX: 644-8722
