Re: CRIME Kerberos what do people think?

From: Crispin Cowan (crispin@private)
Date: Tue Jul 16 2002 - 21:24:43 PDT

  • Next message: Seth Arnold: "Re: CRIME Kerberos what do people think?"

    Shaun Savage wrote:
    
    > Kerberos has been around for a while.  ~      Is it still good?
    > ~      Does it scale well? 
    
    Kerberos has the advantage of scaling UP well: it was designed for large 
    organizations. It also has the advantage of having been designed by some 
    very serious security people, so the crypto is good.
    
    But it also has some significant disadvantages:
    
        * Symmetric crypto: this requires a centralized authentication
          server that holds everyone's personal private key. Makes for a
          single point of failure.
        * Does not scale DOWN well: kerberos is a pain in the ass to set up
          ad hoc on a small network, or to deploy as an individual in a
          network that does not support kerberos.
        * Requires the use of "kerberized" applications. Done right, this
          can be a security advantage, but it mostly means that you have to
          run a weird variant of many stock utilities.
        * The open source version commonly used on Linux has a long, sorry
          history of software vulnerabilities.
    
    My engineers curse at the name of kerberos. You be the judge :)
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 22:45:17 PDT