Re: CRIME Kerberos what do people think?

From: Seth Arnold (sarnold@private)
Date: Tue Jul 16 2002 - 22:56:05 PDT

  • Next message: Alan: "Re: CRIME Kerberos what do people think?"

    On Tue, Jul 16, 2002 at 01:20:11PM -0700, Shaun Savage wrote:
    > Kerberos has been around for a while.  
    > ~      Is it still good?
    > ~      Does it scale well?
    
    My biggest complaint against Kerberos is that it basically tries to
    replicate Public Key Crypto with nothing but Symmetric Crypto. This
    leads to a neccesarily complicated design. My secondary complaint is
    that it requires application support. (To a certain extent, all
    distributed authentication infrastructures will require application
    support, but this will limit your options for many services.)
    
    (I'm not too concerned about attackers getting a hold of private
    authentication tokens while decrypted on the local machine -- as far as
    I can figure, only challenge-response authentication techniques using
    hardware tokens of some sort could circumvent this attack, which is
    typically beyond the budget and requirements of most organizations.
    Yes, paper printed skey authentication is pretty cheap, but I expect
    support costs would be higher than one might care to spend on
    passwords.)
    
    As near as I can tell, Kerberos is much like NFS: In use because it was
    first, not because it is the best possible solution.
    
    -- 
    http://sardonix.org/
    
    
    



    This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 23:49:08 PDT