Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:14:00
Ge' Weijers (ge@Progressive-Systems.Com)
Tue, 22 Sep 1998 17:00:19 -0400
On Tue, 22 Sep 1998, Ryan Lackey wrote:
> 3) The system appears to use PKC for no reason -- it is a closed system,
> like Kerberos, and only limits itself by using PKC. Kerberos, developed
> by some list participants *years* ago, appears to solve every problem
> Arcot claims to solve. Additionally, Kerberos (in some form) is now
> being integrated into MS Windows NT, so it is widely available.
The problem with Kerberos is the way you obtain the TGT. The ticket is
directly encrypted using the user password, and it's therefor a prime
target for a passive dictionary attack. Using public-key crypto this can
be prevented. If for instance you encrypt your password together with a
random string the eavesdropper can't perform a dictionary attack.
It looks like they've found a way to hide a private assymetric key in a
file in such a way that most passwords will recover a valid key, which
will prevent offline dictionary attacks. Storing a public key on the
server makes the system somewhat more resistant to abuse by the server
operators (say a disgruntled bank employee), and to server compromise. A
stolen public key is a lot less useful than a stolen private key,
especially if the private key is used for multiple purposes. As long as
an attacker does not get hold of both your 'software smartcard' and the
public key you're safe from dictionary attacks.
The 'software smartcard' makes the system a bit safer for people who are
careless with their passwords.
It's not a panacea, but it's probably a lot better than Kerberos.
Ge'
-
Ge' Weijers Voice: (614)326 4600
Progressive Systems, Inc. FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:14:00