[990] in Kerberos
Re: Why is initial user authentication done the way it is?
daemon@ATHENA.MIT.EDU (Jerome H Saltzer)
Thu Jun 14 13:20:15 1990
Date: Thu, 14 Jun 90 11:12:29 EDT
From: Jerome H Saltzer <Saltzer@mit.edu>
To: jik@pit-manager.mit.edu
Cc: kerberos@ATHENA.MIT.EDU
In-Reply-To: "Jonathan I. Kamens"'s message of Thu, 14 Jun 90 00:36:47 -0400 <9006140436.AA17824@PIT-MANAGER.MIT.EDU>
Jonathan,
The weakness you describe is real, and we recognized it from the
beginning of the design. At the time we didn't see a straightforward
fix (your suggestion reduces the weakness by a little, but it doesn't
eliminate it) and we figured that the best solution was that any user
can avoid the weakness by choosing a password that isn't in the
dictionary.
Last Spring, I described the problem to a group of graduate students
at the University of Cambridge, and two of them were convinced that
there must be a way to solve it. They did, and the resulting protocol
(the essence of which is that the tgt must contain only information that
looks random to anyone but the legitimate inquirer, even when correctly
decrypted) appeared in a paper in the 12th SOSP. There was some
discussion among the Kerberos developers about including the protocol
as an option in Kerberos Version V, but as I recall the people doing
that revision had enough on their hands and didn't want to throw that
into the pot, too.
Jerry
