[OpenAFS] fs setcrypt and transarc

Ted Anderson TedAnderson@mindspring.com
Thu, 10 Apr 2003 15:56:17 -0400


On 4/10/2003 13:47, Chaskiel M Grundman:
 > --On Thursday, April 10, 2003 13:32:26 -0400 Ted Anderson 
<TedAnderson@mindspring.com> wrote:
 > ... The actual problem is that the same key is used for every session,
 > opening up the possibility of replay attacks, or of combining knowlege
 > from sniffing multiple sessions to possibly learn stuff about the
 > key.
 >
 > It's mentioned in
 > http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-crypto-04
 >
 > and even a bit in an old paper by Bellovin and Merritt.

The Bellovin and Merritt paper is "Limitations of the Kerberos
Protocol"[1].  It points out that Kerberos session keys are misnamed
since they are really multi-session keys.  The issue is described in
section 4.6 and their recommendation to use a derived key for each
session is 6.e.

I never thought that this sort of attack was a big concern in practice,
but the recent splicing attack on 3DES K4 tickets suggests that extra
prudence is often (eventually) rewarded.

Ted Anderson

[1] http://citeseer.nj.nec.com/bellovin91limitations.html