One Time Identification, a request for comments/testing.

g.w@hurderos.org g.w at hurderos.org
Thu Feb 1 16:06:21 EST 2007 

On Jan 31,  8:42am, "Douglas E. Engert" wrote:
} Subject: Re: One Time Identification, a request for comments/testing.

Good afternoon to everyone, apologies for not being more prompt.
Trying to position myself to be in the mountains for a few days of
skiing starting this weekend.

> What keeps a user from copying the identity token from the USB
> device to a local or shared file system to avoid having to insert
> the USB device all the time?

We were considering public flogging but were unsure if we could get it
into an IETF draft.

Security starts with user training and making it unnecessary for them
to want to do things like that.  Hence our focus on a seamless
integration with Kerberos.

> What are the security implications if the identity token is
> stolen?

A concern certainly relevant to the point above.

The identity token itself contains no identifying information and is
useless without the Kerberos password/key even if the owner of the
token is known.

An additional valid concern is the possibility for a stolen token to
be used as known material for an attack against the encrypted OTI
payload of a captured AS_REQ.  However, the payload contains the IP
address of the KDC along with the authentication time so there is a
known element to look for if someone wants to start trying random keys
on the payload to see what pops out.  We have tossed around the idea
of payload location shifting to help combat things like that.

Given proper failure throttling on the KDC the idea of grabbing a
token and trying passwords is hopefully a non-starter.

> How does this compare to using cert and key on the USB device with
> PKINIT rather then your identity token?
>
> How does this compare to using a smart card or USB equivelent of a
> smartcard with PKINIT? To the user they still have to insert the
> card or USB device, and have to enter a pin or password?

In your subsequent e-mail reply you were completely correct in your
analysis.  One of the objectives in all this is to provide centralized
password management and control in a soft token environment.

A bit more on that later this evening.

}-- End of excerpt from "Douglas E. Engert"

As always,
Greg Wettstein

------------------------------------------------------------------------------
			 The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

"More people are killed every year by pigs than by sharks, which shows
 you how good we are at evaluating risk."
                                - Bruce Schneier
                                  Beyond Fear

More information about the Kerberos mailing list