[27312] in Kerberos
Re: One Time Identification, a request for comments/testing.
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Jan 31 07:03:13 2007
From: Sam Hartman <hartmans@mit.edu>
To: g.w@hurderos.org
Date: Wed, 31 Jan 2007 07:02:43 -0500
In-Reply-To: <200701310603.l0V639Iu028764@wind.enjellic.com> (g. w.'s message
of "Wed, 31 Jan 2007 00:03:09 -0600")
Message-ID: <tsl7iv3e74s.fsf@cz.mit.edu>
MIME-Version: 1.0
Cc: dev@directory.apache.org, krbdev@mit.edu, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
So, the USB flash stores the 160-bit RSA encrypted user identity?
I think that this approach or something like it could be useful. I'm
not sure I'm happy with your key schedule, or some of the crypto
details. I'd prefer to think about whether RFC 3961 might provide
better options. Similarly, I'm not sure what you get out of RSA
encryption.
An alternative proposal that seems like it would do the same thing
from a security standpoint would be a way to combine a password key
with pkinit. You could store a soft certificate on a USB token.
Ultimately, though, I think that the important thing is the user
experience. I agree with you that providing stronger authentication
when someone provides a USB flash disk with some secret information is
desirable. I think the specific details of how to do this should be
worked out in the Kerberos working group of the IETF. I encourage you
to take your proposal there.
--Sam
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos