[7478] in Kerberos
Re: A Question ...
daemon@ATHENA.MIT.EDU (Brian Schimpf)
Thu Jun 13 16:52:58 1996
Date: Thu, 13 Jun 1996 16:30:55 -0400
To: Daniel Gerber <daniel@snowgum.bendigo.latrobe.edu.au>
From: Brian Schimpf <schimpf@gradient.com>
Cc: kerberos@MIT.EDU
At 08:24 PM 6/13/96 +1000, Daniel Gerber wrote:
>Hi,
>
> I'm a graduate student, with an interest in computer security. I've
>been reading a bit about Kerberos, and it strikes me that the main
>limitation is that it really only works for single-user workstations.
>This seems like a really big limitation.
Hmmm, why do you say this? Certainly authentication systems such as
Kerberos are very useful in single-user workstation environments, but I
would say that distributed authentication services such as Kerberos are
useful when you have a resource on one system which wants to know exactly
who is requesting services when that request is coming from a remote system.
And the owner of the resource doesn't want to have to trust the security
(user authentication) on the remote system. This certainly encompasses
single-user workstations but you could have a Kerberized application on a
multi-user system which accesses some remote service.
> Could somebody tell me if there are any plans to implement user-level
>authentication in kerberos? As far as I can see, this isn't implemented
>in beta6, nor planned for beta 7 is it ?
I must not understand what you mean by user-level authentication.
> why hasn't this problem been addressed ? would it mean a really
>fundamental change to the kerberos system ?
>
> While I'm wasting all your valuable time, I was wondering if anybody
>knows of any systems that implement packet level encryption? This seems
>like the way to go for secure systems. Am I right in saying that ?
Both Kerberos and DCE (which is based on Kerberos) provide the
ability to encrypt the data stream going between client and server. I
assume that's what you mean by "packet level encryption." There are other
services that also encrypt network traffic, e.g., SSL. And yes, that's an
important feature of secure distributed systems. One key problem with
providing encryption is that it gets you into import/export issues,
depending on where the software is being built and where it is being used.
Thanks,
Brian
===================================================================
Brian C. Schimpf email: schimpf@gradient.com
Gradient Technologies, Inc. Voice: (508) 624-9600 x214
2 Mt. Royal Avenue FAX: (508) 229-0338
Marlboro, MA 01752 http://www.gradient.com/
