Thanks: GSS Server without secret key?
Mike Friedman
mikef at ack.Berkeley.EDU
Fri Nov 7 11:08:20 EST 2003
On Fri Nov 7 01:57:42 2003, Oliver Schoett said:
> The design seems to be asymmetric in that the need to store a secret
> long-term key at the client has been avoided (the client only needs to
> store its TGT), but a secret long-term key at the server is still
> necessary. I am afraid our customer will complain about this ...
Oliver,
Well, it's actually a little more symmetric than that. If the client is
acting on behalf of a user at a terminal, then the secret long-term 'key'
IS stored - in the user's biological memory (in the form of a password
that gets converted to the key). The server's keytab plays a role analogous
to a human user's memory.
If a client must authenticate while unattended by a human, then the key
WOULD have to be stored somewhere on the client.
BTW: I'm speaking basic Kerberos protocol here, not about particularly
about GSS.
Mike
------------------------------------------------------------------------------
Mike Friedman System and Network Security
mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
------------------------------------------------------------------------------
More information about the Kerberos
mailing list