Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!purdue!decwrl!shelby!ERLANG.ENET.DEC.COM!miller From: miller@ERLANG.ENET.DEC.COM (Steve Miller 26-Dec-1989 1246) Newsgroups: comp.protocols.kerberos Subject: Re: Authentication vulnerabilities Message-ID: <8912261743.AA02542@decwrl.dec.com> Date: 26 Dec 89 17:43:13 GMT Sender: daemon@shelby.Stanford.EDU Organization: The Internet Lines: 44 From: LYRE::"MAILER-DAEMON" "Mail Delivery Subsystem" 24-DEC-1989 17:13:34.27 To: spm CC: Subj: Returned mail: Cannot send message for 3 days ----- Transcript of session follows ----- 421 decwrl.dec.com.tcp... Deferred: Host is unreachable ----- Unsent message follows ----- Received: by lyre.nac.dec.com (5.57/Ultrix2.4-C) id AA00681; Thu, 21 Dec 89 16:17:59 EST Date: Thu, 21 Dec 89 16:17:59 EST From: spm (Steven Miller) To: decwrl::kerberos@athena.mit.edu Subject: Re: Authentication vulnerabilities Cc: spm Recent messages from Hugh Lauer and Michael Salzman discussed the administrative vulnerabilities of various authentication systems. In any of these systems, be it Kerberos, X.509, or others, there is a trust in the administrative components (such as the Kerberos realm administrator). All that the protocols can hope to achieve is to explicity identify which set of components are involved in a particular authentication operation. This then gives the principals the opportunity to enforce any policy they choose with respect to those administrative units. For example, not granting write access to certain Kerberos realms based on not trusting the carefulness of that realm's administration. Kerberos V4 provides a limited form of such information, for a 1-hop realm traversal, and V5 will provide the entire path of administrative units (realms) involved in the operation. So an apprehensive principal can setup their authorization to take the administrative trust into account. The task of determining trust in an administrative unit is way beyond the scope of computer communications. There may be applicable precedents in other organizations such as banking or the military to deal with these administrative issues. Steve p.s. Tools such as smart cards with PINs are better, but still imperfect since they may be intentionally shared or shared under duress -- e.g. people have been mugged and forced to obtain money from their cash machines.