One Time Identification, a request for comments/testing.
g.w@hurderos.org
g.w at hurderos.org
Fri Feb 2 21:07:03 EST 2007
On Feb 2, 10:05am, Jim Rees wrote:
} Subject: Re: One Time Identification, a request for comments/testing.
Hi Jim, hope the weekend is going well for you.
> So would it be fair say this is sort of like using a smartcard in that you
> need both possession of the token and knowledge of a PIN?
Jeff already did a nice job of differentiating a smart card/PIN from
what is being suggested with OTI.
> And that the KDC guards the PIN against brute force guessing,
> because each guess requires a transaction against the KDC? So
> stealing the token gets the attacker nothing?
Correct, the KDC is the only entity which is in a position to verify
that the expression of the identity is valid.
This is the reason why the decision was made to not encrypt the
identity token. It actually increases the security liability if the
token is lost. If the token is encrypted there is an opportunity for
an off-line guessing attack to yield not only the token but validation
of the password as well.
Have a good weekend.
}-- End of excerpt from Jim Rees
As always,
Greg Wettstein
------------------------------------------------------------------------------
The Hurderos Project
Open Identity, Service and Authorization Management
http://www.hurderos.org
"Human beings, who are almost unique in having the ability to learn
from the experience of others, are also remarkable for their apparent
disinclination to do so."
-- Douglas Adams
More information about the Kerberos
mailing list