Strength in Complexity?

[Perry E. Metzger]

Arshad Noor <arshad.noor at strongauth.com> writes:
> That said, Kerberos clearly has the benefit of 20+ years of research
> and use in the field.  However, there are two fundamental differences
> between SKSML and Kerberos, IMHO:
>
> 1) The design goals for Kerberos were very different from SKSML.  The
>    former solves the problem of network-authentication in the face of
>    insecure hosts/networks, while the latter focuses on long-term key
>    management.

Well, kerberos does both, really. It also has the advantage that it
is fully specified and integrates with GSSAPI.

>    That they both use very similiar concepts & components
>    to deliver quite different benefits to applications is testament to
>    the strength and flexibility of the underlying components rather
>    than to a weakness of SKSML.
>
> 2) AFAIK, Kerberos clients cannot deliver their stated benefit (network
>    authentication) in the absence of the network or the Kerberos server.

It is generally hard to deliver network authentication without a
network. That said, kerberos tickets can persist even in the face of
disconnects, so once you've connected tickets can survive as long as
you wish.

>    SKSML is designed to allow disconnected EKMI clients to continue
>    providing cryptographic services to applications even in the absence
>    of the network or the key-management server.  However, it does
>    require that the Symmetric Key Client Library (SKCL) have connected
>    to the Symmetric Key Services (SKS) server at least once before it
>    can use this capability.

That's no different from Kerberos, and kerberos works quite well
already.


Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com