[862] in Kerberos
Re: Authentication vulnerabilities
daemon@ATHENA.MIT.EDU (Steve Miller 26-Dec-1989 1246)
Tue Dec 26 12:53:00 1989
From: miller@ERLANG.ENET.DEC.COM (Steve Miller 26-Dec-1989 1246)
To: "kerberos@athena.mit.edu"@DECWRL.DEC.COM
From: LYRE::"MAILER-DAEMON" "Mail Delivery Subsystem" 24-DEC-1989 17:13:34.27
To: spm
CC:
Subj: Returned mail: Cannot send message for 3 days
----- Transcript of session follows -----
421 decwrl.dec.com.tcp... Deferred: Host is unreachable
----- Unsent message follows -----
Received: by lyre.nac.dec.com (5.57/Ultrix2.4-C)
id AA00681; Thu, 21 Dec 89 16:17:59 EST
Date: Thu, 21 Dec 89 16:17:59 EST
From: spm (Steven Miller)
To: decwrl::kerberos@athena.mit.edu
Subject: Re: Authentication vulnerabilities
Cc: spm
Recent messages from Hugh Lauer and Michael Salzman discussed the
administrative vulnerabilities of various authentication systems.
In any of these systems, be it Kerberos, X.509, or others, there is
a trust in the administrative components (such as the Kerberos realm
administrator). All that the protocols can hope to achieve is to explicity
identify which set of components are involved in a particular authentication
operation. This then gives the principals the opportunity to enforce any
policy they choose with respect to those administrative units. For example,
not granting write access to certain Kerberos realms based on not trusting
the carefulness of that realm's administration.
Kerberos V4 provides a limited form of such information, for a 1-hop
realm traversal, and V5 will provide the entire path of administrative
units (realms) involved in the operation. So an apprehensive principal
can setup their authorization to take the administrative trust into account.
The task of determining trust in an administrative unit is way beyond the
scope of computer communications. There may be applicable precedents in other
organizations such as banking or the military to deal with these
administrative issues.
Steve
p.s. Tools such as smart cards with PINs are better, but still imperfect
since they may be intentionally shared or shared under duress -- e.g.
people have been mugged and forced to obtain money from their cash machines.
