[585] in Kerberos
central password checking
daemon@TELECOM.MIT.EDU (Mark Lillibridge)
Tue Jan 10 13:09:51 1989
From: Mark Lillibridge <chariot@ATHENA.MIT.EDU>
To: Saltzer@ATHENA.MIT.EDU
Cc: sms-dev@ATHENA.MIT.EDU, kerberos@ATHENA.MIT.EDU
In-Reply-To: Jerome H. Saltzer's message of Mon, 9 Jan 89 13:29:02 EST <8901091829.AA09479@HERACLES.MIT.EDU>
Reply-To: chariot@ATHENA.MIT.EDU
> The scenario Mark describes presents a problem, but I believe that
> his problem is quite orthogonal to central password quality control.
> If my password is compromised, and I try to change it with a network
> message, I will be subject to the attack Mark describes, whether or
> not Kerberos wants me to send the new password for quality checking.
> The reason is that Kerberos must receive at least the key form (after
> running string-to-key over the password). The key form would go
> across the net, encrypted in a way knowable by anyone who knows my
> old password (and who has monitored the entire password-changing
> conversation between me and Kerberos). Such an intruder could read
> the new key field and use the information to acquire my credentials.
Opps! Objection withdrawn.
- Mark
