Shaun Savage wrote: Kerberos has been around for a while. ~ Is it still good? ~ Does it scale well? ******************************************** Shaun, I'm sure other people will chime in on this, but the basic deal with Kerberos is that it has quite a few weaknesses. Among them: *The key distribution center constitutes a single point of failure. If the KDC goes down, it can prevent users from accessing necessary resources on the network. *Because cryptographic keys are temporarily stored on the users' workstations, the keys could potentially be obtained by an intruder. *When session keys are decrypted, they reside in a cache or a key table on a user's workstation--again, making them susceptible to capture by an intruder. *There's a certain amount of unpleasant administrative overhead: when a user changes his password, it changes the secret key. Thus if a user changes his password, the KDC database needs to be updated. I know there are other weaknesses as well, but I can't recall them at the moment. Barry Shulak Security Consultant A N I T I A N http://www.anitian.com barrys@private Mobile: (503) 939-4051 Office: (503) 644-5656 Fax: (503) 644-8574
This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 17:18:14 PDT