Re: CRIME Kerberos what do people think?

From: Barry Shulak (barrys@private)
Date: Tue Jul 16 2002 - 16:27:30 PDT

  • Next message: Toby: "Re: CRIME Kerberos what do people think?"

    Shaun Savage wrote:
    
    Kerberos has been around for a while. 
    
    ~ Is it still good?
    
    ~ Does it scale well?
    
    ********************************************
    
    Shaun, I'm sure other people will chime in on this, but the basic deal with Kerberos is that it has quite a few weaknesses. Among them:
    
    *The key distribution center constitutes a single point of failure. If the KDC goes down, it can prevent users from accessing necessary resources on the network.
    
    *Because cryptographic keys are temporarily stored on the users' workstations, the keys could potentially be obtained by an intruder.
    
    *When session keys are decrypted, they reside in a cache or a key table on a user's workstation--again, making them susceptible to capture by an intruder.
    
    *There's a certain amount of unpleasant administrative overhead: when a user changes his password, it changes the secret key. Thus if a user changes his password, the KDC database needs to be updated. 
    
    I know there are other weaknesses as well, but I can't recall them at the moment.
    
    
    Barry Shulak 
    Security Consultant 
    A N I T I A N  
    http://www.anitian.com 
    barrys@private   Mobile: (503) 939-4051 
    Office: (503) 644-5656  Fax: (503) 644-8574 
    



    This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 17:18:14 PDT