[27348] in Kerberos
Re: One Time Identification, a request for comments/testing.
daemon@ATHENA.MIT.EDU (Jeffrey Hutzelman)
Fri Feb 2 10:36:18 2007
Date: Fri, 02 Feb 2007 10:25:36 -0500
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Jim Rees <rees@umich.edu>, g.w@hurderos.org
Message-ID: <AC085DD6D243511BFCDE6008@sirius.fac.cs.cmu.edu>
In-Reply-To: <20070202150508.GB15920@citi.umich.edu>
MIME-Version: 1.0
Content-Disposition: inline
Cc: dev@directory.apache.org, Jeffrey Hutzelman <jhutz@cmu.edu>,
krbdev@mit.edu, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Friday, February 02, 2007 10:05:09 AM -0500 Jim Rees <rees@umich.edu>
wrote:
> So would it be fair say this is sort of like using a smartcard in that you
> need both possession of the token and knowledge of a PIN? And that the
> KDC guards the PIN against brute force guessing, because each guess
> requires a transaction against the KDC? So stealing the token gets the
> attacker nothing?
No. Smart cards are not (generally) simple storage devices. What guards a
smartcard PIN against brute force guessing is that you only get a limited
number of tries before the card locks itself and becomes useless. And what
protects the private key is the fact that only the card knows the key, so
if the card is not physically present (or has been locked out due to too
many wrong PIN's), it is impossible to perform crypto operations with the
private key.
What we're talking about here is something completely different. Yes, you
need both posession of a physical object and a password. But the
similarity ends there.
-- Jeff
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos