Sam, Apologies for sending to the wrong list - and thanks for the useful pointers.
To answer your points, I'm not planning to use Kerberos solely to secure network traffic (authentication also). Since both end-points share a secret session key after the Kerberos exchange, the key is optionally used for symmetric AES traffic encryption. Depending on the network service concerned, there may well be a weaker application-level authentication protocol; the solution proposed would not eliminate this, but wrap it with an additional stronger, required authentication protocol. In remaining general-purpose, I had not been looking to establish channel bindings to link high and low layer authentication. Having said that, there would be clear efficiency gains (and it could be done for certain special cases). There certainly seem to be a lot of potentially tricky problems here! I will have a more in-depth look at the IETF channel binding document - thanks again. Pete -- For those who missed the first post on this: I'm running a quick Kerberos-related survey at http://petemart.in/krb-q/ Responses very much appreciated! On Fri, 2007-05-11 at 10:58 -0400, Sam Hartman wrote: > Hi. This is definitely a misuse of the [EMAIL PROTECTED] list; your > question probably should have gone to [EMAIL PROTECTED] I'll direct > replies there. However I want to point out a couple of things. > > If you are just using Kerberos to secure network traffic without > modifying existing applications take a look at RFC 4430. That's > basically the protocol you are looking for between your two boxes. > > However, the solution you propose has some significant security > problems. In brief, the problem is that you are having authentication > going on at multpile levels: the Kerberos level with your box and the > level presumably using weaker authentication in the application > itself. > There are a lot of tricky issues to consider when doing this. > Take a look at > http://tools.ietf.org/internet-drafts/draft-williams-on-channel-binding and > http://tools.ietf.org/internet-drafts/draft-ietf-btns-prob-and-applic for > descriptions of some of the issues. > > > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
