[6725] in Kerberos
Re: Kerberos Weakness (COAST Findings)
daemon@ATHENA.MIT.EDU (Ray Kaplan)
Wed Feb 21 16:57:35 1996
To: kerberos@MIT.EDU
Date: 21 Feb 1996 19:57:45 GMT
From: Ray Kaplan <ray@rayk.com>
Michael Sierchio <kudzu@dnai.com> wrote:
>Steve Lodin wrote:
>>
>> There is information available on the Kerberos vulnerability incident at:
>
>I am not sure, but I believe that this is nothing new. Steve Bellovin at
>AT&T had a paper a number of years ago on weaknesses in the Kerberos
>Authentication Suite.
Yep - for those who lost track of it (as I did), it can be found at:
ftp.research.att.com - /papers/kerblimit.usenix.ps (note, they apparently
have no /pub directory)
For clarity, this is Steve Bellovin's 1991 USENIX paper pointing out
weaknesses in the Version 5, Draft 3 spec for Kerberos at the time. As time
permits, I am picking my way thought the copious details to see if I can get
some ideas about exactly what in the heck this V5 "theoretical vulnerability"
might be. So far, it looks like those who are serious about security
protocols (some, but not all commercial Kerberos vendors included) have beat
the heck out of the V5 spec since this 1991 Bellovin paper.
Hope *someone* will post *some* details *soon* so some of us can return to
the normal din of the day-to-day ;) Until then, Seems to be the same old
story, eh? Those that are serious about security leave few rocks unturned?
RayK 8) Ray Kaplan
Security Services - P.O Box 23210 - Richfield, MN USA 55423
(612) 861-7198 - FAX (612) 861-3736 - www: http://www.rayk.com/rayk
ray@rayk.com - Not an expert, just a battered vet.
