A generic kerberizing project

Pete Martin kerberos at pnmartin.fsnet.co.uk
Sat May 12 05:20:32 EDT 2007


Sam,

Apologies for sending to the wrong list - and thanks for the useful
pointers.

To answer your points, I'm not planning to use Kerberos solely to secure
network traffic (authentication also). Since both end-points share a
secret session key after the Kerberos exchange, the key is optionally
used for symmetric AES traffic encryption.

Depending on the network service concerned, there may well be a weaker
application-level authentication protocol; the solution proposed would
not eliminate this, but wrap it with an additional stronger, required
authentication protocol.

In remaining general-purpose, I had not been looking to establish
channel bindings to link high and low layer authentication. Having said
that, there would be clear efficiency gains (and it could be done for
certain special cases). There certainly seem to be a lot of potentially
tricky problems here! I will have a more in-depth look at the IETF
channel binding document - thanks again.

Pete

--
For those who missed the first post on this:

I'm running a quick Kerberos-related survey at http://petemart.in/krb-q/

Responses very much appreciated!




On Fri, 2007-05-11 at 10:58 -0400, Sam Hartman wrote:
> Hi.  This is definitely a misuse of the krbdev at mit.edu list; your
> question probably should have gone to kerberos at mit.edu.  I'll direct
> replies there.  However I want to point out a couple of things.
> 
> If you are just using Kerberos to secure network traffic without
> modifying existing applications take a look at RFC 4430.  That's
> basically the protocol you are looking for between your two boxes.
> 
> However, the solution you propose has some significant security
> problems.  In brief, the problem is that you are having authentication
> going on at multpile levels: the Kerberos level with your box and the
> level presumably using weaker authentication in the application
> itself.
> There are a lot of tricky issues to consider when doing this.
> Take a look at http://tools.ietf.org/internet-drafts/draft-williams-on-channel-binding and http://tools.ietf.org/internet-drafts/draft-ietf-btns-prob-and-applic for descriptions of some of the issues.
> 
> 
> 





More information about the Kerberos mailing list