Re: CRIME Kerberos summation.

From: Crispin Cowan (crispin@private)
Date: Wed Jul 17 2002 - 16:41:10 PDT

  • Next message: Crispin Cowan: "Re: CRIME Kerberos what do people think?"

    Shaun Savage wrote:
    
    > Hi
    > After reading the responses, I would like to sum it up.
    >
    > 1>  KDC is the weak link.
    > 2>  requires special services and applications.
    > 3>  scales up well
    > 4> basicly good general auth system.
    > 5> implimantation problems. 
    
    You left out that it does *not* scale down well.
    
    > Things were said about public key vs symmetric key.  The problem with
    > public key crypto is that the private key requires secure private
    > storage.  In a community/public workstation network, storage of that
    > public key is  needs a central server or user held storage device for
    > the private key (smartcards, memory cards or sticks). 
    
    Symmetric key does not actually improve this situation:
    
        * in *both* cases, each client has to securely store their key
        * the difference is:
              o public key: the KDC *publishes* the client's public keys
              o symmetric key: the KDC must keep copies of all client's
                private keys, so they have to be confidential
    
    
    > Is there a better open protocol for user auth in a community/public
    > workstation network? 
    
    Huge enormous butt-load of them. Look for products marketed as "SSO", 
    "Single Sign On" or "Authentication server".
    
    > If a better open protocol is needed, what would be the specs? 
    
    Leading contenders for protocols, open or otherwise, would be:
    
        * SSL/X.509: the VeriSign/CA solution. You don't have to use
          VeriSign certs; you can be your own CA instead. Vendors include
          people like Entrust, Baltimore, RSA, BBN, and Schlumberge.
        * SSH: doesn't have a PKI built into it, which is why it scales down
          so well. But that doesn't stop you from setting up a PKI. However,
          there is no open standard for SSH PKI.
        * Liberty Alliance (guarded skepticizm)
        * Microsoft Passport (abject terror :)
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Wed Jul 17 2002 - 19:55:16 PDT