From: Rich Graves <llurch@networking.stanford.edu>
Date: Wed, 24 Jan 1996 08:10:46 +0800
To: cypherpunks@toad.com
Subject: Kerberos holes (was Re: IPSEC == end of firewalls)
In-Reply-To: <9601231947.AA20689@su1.in.net>
Message-ID: <Pine.ULT.3.91.960123140801.26006A-100000@Networking.Stanford.EDU>
MIME-Version: 1.0
Content-Type: text/plain


On Tue, 23 Jan 1996, Frank Willoughby wrote:

> At 10:30 AM 1/23/96 -0500, perry@piermont.com allegedly wrote:
> >
> >Frank Willoughby writes:
> >> While IP level security & authentication will go a long way to help 
> >> prevent abuses and reduce unauthorized accesses, I doubt if it will
> >> provide enough protection by itself.
> >
> >I agree with this, but...
> >
> >> o Node Spoofing will probably still be possible
> >
> >Nope. It won't.
> >
> I disagree.  I haven't met a system that couldn't somehow be gotten around.
> The creativity of hackers is succeeded only by their motivation and ability 
> to put many hours into trying to solve a problem.  Including the word
> "probably"  was deliberate.  Kerberos was also thought to be secure - 'til
> it was compromised.  Software isn't bug-free & design or security 
> methodologies can't provide 100% coverage.  Hackers take advantage of 
> this and inherent weaknesses in design flaws.

Clearly.

I keep hearing references to weaknesses in kerberos, which I more or less 
rely on. What are the problems I should be worrying about? Preferably as 
URLs.

Also, we have a new kerberos implementation for Macs that we're going to 
roll out soon. I'll see if the project manager would be willing to let 
other people take a look at it.

-rich