[989] in Kerberos
Re: Why is initial user authentication done the way it is?
daemon@ATHENA.MIT.EDU (smb@ulysses.att.com)
Thu Jun 14 07:58:28 1990
From: smb@ulysses.att.com
To: "Jonathan I. Kamens" <jik@PIT-MANAGER.MIT.EDU>
Cc: kerberos@ATHENA.MIT.EDU
Date: Thu, 14 Jun 90 07:09:17 EDT
As far as I'm concerned, you're quite right -- that is a signficant
weakness, and your proposed correction helps. It's by no means
perfect, though -- an intruder could tap the Ethernet and wait for
you to log in, collecting your password that way.
For one solution, see
%A T.M.A. Lomas
%A L. Gong
%A J.H. Saltzer
%A R.M. Needham
%T Reducing Risks from Poorly Chosen Keys
%P 14-18
%B Proceedings of the Twelfth ACM Symposium on Operating Systems Principles
%D December 1989
%I ACM
%V 23
%N 5
%J Operating Systems Review
