Questions on kerb 4 vice kerb 5
Ted Anderson
ota at transarc.com
Tue Nov 20 16:35:31 CET 2001
On Thu, 15 Nov 2001 12:08:28 -0800 "Henry B. Hotz" <hotz at jpl.nasa.gov> wrote:
> As I understand it there are 3 possibly relevant wire protocols:
> rx the native AFS authentication, closely related to k4
> k4 supported by the AFS kaserver with a non-standard string-to-key
> k5 ¿usable? by AFS with non-standard authentication tools
> rx and k4 both suffer the same well-known replay vulnerability.
> Could I close both of them off with a firewall and still get
> everything I need using only k5?
I am not quite sure what you mean by the weel-known reply vulnerability,
but the Rx and K4 authentication (TGT) protocols do have an important
difference. The Rx protocol's request requires a timestamp to be
encrypted with the user's password. This means that the kaserver can
reject bogus requests and those more than a few (15?) minutes old. This
solves the problem of the K4 protocol in giving out "free" samples of
ciphertext.
Is this the weakness you mean?
Ted Anderson
More information about the Arla-drinkers
mailing list