[425] in Kerberos-V5-bugs
Preauthentication
daemon@ATHENA.MIT.EDU (mullan_s@apollo.hp.com)
Tue Mar 1 12:45:27 1994
To: krb5-bugs@MIT.EDU
Cc: mullan_s@apollo.hp.com (Sean Mullan), hondo@apollo.hp.com (Maryann Hondo)
Date: Tue, 01 Mar 94 12:45:03 -0500
From: mullan_s@apollo.hp.com
Hi,
Recently, we have been working on upgrading the Kerberos
portion of DCE with the V5 beta 3 code. We have
also been looking at how we can use the preauthentication
data in Kerberos V5 to make DCE more secure. In doing so, we
found some limitations and would like to give you some
constructive feedback on some enhancements which would make
the Kerberos preauth API's more flexible to use :
A more flexible method is needed to compose your own
preauthentication data at the application level. The beta 3
implementation doesn't seem like it was designed to easily
allow programmers to create their own preauthentication
data in any format that is desired. A few reasons :
1) Kerberos assumes the arguments you need to compose the
padata are always the same. There is no way to pass in
different data (such as more than one key) to your
"obtain padata" routine from the application level. We think
there should be some way to pass in a variable argument list.
2) The same is true for the KDC when it verifies the padata.
The current implementation assumes a fixed set of arguments
is needed to decrypt or verify the padata, and doesn't
allow the user to pass in additional arguments.
3) The Kerberos API krb5_obtain_padata() is called by krb5_get_in_tkt()
and because of this, really isn't public to the user. It may be
better if the user called krb5_obtain_padata() and then passed the
returned padata to krb5_get_in_tkt(). This way a handle to the
padata could be saved for retries.
In a case where more than one key is needed to encrypt or
decrypt the padata, the Kerberos API's are not flexible enough
to allow the user to accomplish this.
Thanks,
Sean
***********************************************************b
Sean Mullan Phone: (508) 436-4129
Hewlett-Packard Co. Internet: mullan_s@apollo.hp.com
300 Apollo Drive Fax: (508) 436-5140
Chelmsford, MA 01824
************************************************************
