Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sdd.hp.com!spool.mu.edu!snorkelwacker.mit.edu!stanford.edu!CS.WASHINGTON.EDU!bcn From: bcn@CS.WASHINGTON.EDU (Clifford Neuman) Newsgroups: comp.protocols.kerberos Subject: setup of kerberos Message-ID: <9104082244.AA19179@n1dmm.cs.washington.edu> Date: 8 Apr 91 22:44:05 GMT Article-I.D.: n1dmm.9104082244.AA19179 References: Sender: news@shelby.stanford.edu (USENET News System) Organization: Internet-USENET Gateway at Stanford University Lines: 24 Kerberos does not depend on host addresses for security. When included in tickets, the host addresses only make it a little more difficult for an attacker that has already stolen one's credentials to use them. In particular, it puts the attacker in a position that he is more likely to be discovered. The security of Kerberos lies in the fact that the attacker can not obtain one's credentials unless he has breached the security of the system on which the credentials are stored, and if that security is breached, the credentials are only valid for a short period of time. At present, credentials are stored on disk. They might also be stored in a workstation's memory. In either case, a privileged user of the workstation can get at them. Alternatively, if you leave your workstation unattended and logged in for a short period of time, someone might be able to walk up to it, steal the credentials, and use them from somewhere else. By including host addresses, the attacker would also have to impersonate your network address which, while not difficult, is more likely to be noticed. In any case, it all boils down to trade offs in security vs. convenience. Kerberos does not provide absolute security. It just changes the relative costs and consequences. ~ Cliff