Path: utzoo!attcan!uunet!aplcen!uakari.primate.wisc.edu!zaphod.mps.ohio-state.edu!usc!ucselx!bionet!agate!shelby!MIT.EDU!Saltzer
From: Saltzer@MIT.EDU (Jerome H Saltzer)
Newsgroups: comp.protocols.kerberos
Subject: Re: Why is initial user authentication done the way it is?
Message-ID: <9006141512.AA10087@PTT.LCS.MIT.EDU>
Date: 14 Jun 90 15:12:29 GMT
References: <9006140436.AA17824@PIT-MANAGER.MIT.EDU>
Sender: daemon@shelby.Stanford.EDU
Organization: The Internet
Lines: 21

Jonathan,

The weakness you describe is real, and we recognized it from the
beginning of the design.  At the time we didn't see a straightforward
fix (your suggestion reduces the weakness by a little, but it doesn't
eliminate it) and we figured that the best solution was that any user
can avoid the weakness by choosing a password that isn't in the
dictionary.

Last Spring, I described the problem to a group of graduate students
at the University of Cambridge, and two of them were convinced that
there must be a way to solve it.  They did, and the resulting protocol
(the essence of which is that the tgt must contain only information that
looks random to anyone but the legitimate inquirer, even when correctly
decrypted) appeared in a paper in the 12th SOSP.  There was some
discussion among the Kerberos developers about including the protocol
as an option in Kerberos Version V, but as I recall the people doing
that revision had enough on their hands and didn't want to throw that
into the pot, too.

					Jerry