[30] in Kerberos
Re: integration with old protocols
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:17:12 1987
From spm@ATHENA.MIT.EDU Sun Aug 3 13:42:25 1986
To: saltzer@athena.mit.edu
Cc: kerberos@athena.mit.edu
Cc: spm@menelaus.mit.edu
Subject: Re: integration with old protocols
In-Reply-To: Your message of Tue, 22 Jul 86 20:32:35 EDT.
<8607230032.AA16734@HERACLES>
Date: Sun, 03 Aug 86 13:40:00 -0500
From: Steve Miller <spm@ATHENA.MIT.EDU>
I read your recent proposal, and believe it will work given a couple
of additions:
1) The "cached" authentication that the Ksetup server stores may
only be used once, within a very brief time of creation.
Otherwise, you have lost replay protection.
2) If "is_this_one_ok()" fails, it still has to distinguish
whether it failed because the Kerberos authentication is invalid,
or because the client does not speak Kerberos. This is a sticky
problem, since we might wish to allow non-Kerberos clients to
operate, but dont want to allow someone who should be using
Kerberos to break security by just disabling the Kerberos portion.
Perhaps a crude address filter could be used for this?
I see four implications:
1) Many extra port assignments are not needed.
2) Run time cost increases by two messages.
3) Security is a bit weaker, since the opportunity to crytographically
bind some of the application protocol into the authenticator is
lost.
4) A new privileged entity is created, Ksetup, and more sensitive
data is stored on the server.
There is already sufficient information in the protocol messages to
support this.
Overall, I think it is a good approach to try.