home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.kerberos
- Path: sparky!uunet!stanford.edu!ATHENA.MIT.EDU!warlord
- From: warlord@ATHENA.MIT.EDU (Derek Atkins)
- Subject: Re: New User Accounts
- Message-ID: <9209021801.AA26850@andre-norton.MIT.EDU>
- Sender: news@shelby.stanford.edu (USENET News System)
- Organization: Internet-USENET Gateway at Stanford University
- Date: Wed, 2 Sep 1992 18:01:55 GMT
- Lines: 44
-
- > P.S. Has anyone had any experience using SecurID cards with Kerberos
- > IV or V?
- >
- > I think one can use a service key to get a ticket and session key for
- > a mutually authenticated private session with a "kerberos-SecurID"
- > server, which is on the same machine as the kerberos server.
- >
- > The SecurID code would be sent to this server, and if authenticated
- > by the SecurID software, the kerberos passwd would be changed to the
- > securID code, and then changed to something random 30 seconds later.
- >
- > The client would get initial kerberos tickets as usual using the
- > SecurID code as the password.
- >
- > Any comments are appreciated
-
- I was looking into this possibility this summer. One way of doing
- this would be to have the kerberos server know the SecurID algorithm
- and send you an initial ticket in encrypted in the SecurID number.
- Another possibility would be to send a couple of initial tickets for
- the next five minutes of validity, each with the SecurID number of
- that time, and then have the client try all of them until it gets a
- good one.
-
- Sending the SecurID number to the kerberos server then means you need
- some way to securely get the kerberos ticket back onto your
- workstation. What would you encrypt it in? If you are using SecurID
- in the first place, that means you CAN'T use your kerberos password,
- as that would defeat the purpose.
-
- There is a large problem in this -- its a "two network problem." You
- need one secret, SecurID, to get into the system, and then you need
- another secret to authenticate to kerberos. The cure is to somehow
- combine both secrets into one request/challenge/response sequence.
-
- -derek
-
- PS (Shameful plug) My thesis is going to involve something like this!
-
- Derek Atkins -- MIT '93 -- Electrical Engineering
- --warlord@MIT.EDU | ..!mit-eddie!mit-athena!warlord | s20069@mitvma.bitnet
- Chairman, MIT Student Information Processing Board (SIPB)
- MIT Media Laboratory, Speech Research Group
-
-