[OpenAFS] fs setcrypt and transarc
Ted Anderson
TedAnderson@mindspring.com
Thu, 10 Apr 2003 15:56:17 -0400
On 4/10/2003 13:47, Chaskiel M Grundman:
> --On Thursday, April 10, 2003 13:32:26 -0400 Ted Anderson
<TedAnderson@mindspring.com> wrote:
> ... The actual problem is that the same key is used for every session,
> opening up the possibility of replay attacks, or of combining knowlege
> from sniffing multiple sessions to possibly learn stuff about the
> key.
>
> It's mentioned in
> http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-crypto-04
>
> and even a bit in an old paper by Bellovin and Merritt.
The Bellovin and Merritt paper is "Limitations of the Kerberos
Protocol"[1]. It points out that Kerberos session keys are misnamed
since they are really multi-session keys. The issue is described in
section 4.6 and their recommendation to use a derived key for each
session is 6.e.
I never thought that this sort of attack was a big concern in practice,
but the recent splicing attack on 3DES K4 tickets suggests that extra
prudence is often (eventually) rewarded.
Ted Anderson
[1] http://citeseer.nj.nec.com/bellovin91limitations.html