Strength in Complexity?

Perry E. Metzger perry at
Mon Aug 4 14:10:05 EDT 2008

Arshad Noor <arshad.noor at> writes:
> That said, Kerberos clearly has the benefit of 20+ years of research
> and use in the field.  However, there are two fundamental differences
> between SKSML and Kerberos, IMHO:
> 1) The design goals for Kerberos were very different from SKSML.  The
>    former solves the problem of network-authentication in the face of
>    insecure hosts/networks, while the latter focuses on long-term key
>    management.

Well, kerberos does both, really. It also has the advantage that it
is fully specified and integrates with GSSAPI.

>    That they both use very similiar concepts & components
>    to deliver quite different benefits to applications is testament to
>    the strength and flexibility of the underlying components rather
>    than to a weakness of SKSML.
> 2) AFAIK, Kerberos clients cannot deliver their stated benefit (network
>    authentication) in the absence of the network or the Kerberos server.

It is generally hard to deliver network authentication without a
network. That said, kerberos tickets can persist even in the face of
disconnects, so once you've connected tickets can survive as long as
you wish.

>    SKSML is designed to allow disconnected EKMI clients to continue
>    providing cryptographic services to applications even in the absence
>    of the network or the key-management server.  However, it does
>    require that the Symmetric Key Client Library (SKCL) have connected
>    to the Symmetric Key Services (SKS) server at least once before it
>    can use this capability.

That's no different from Kerberos, and kerberos works quite well

Perry E. Metzger		perry at

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list