[Cryptography] secure authentication ... as opposed to passwords

Roland C. Dowdeswell elric at imrryr.org
Thu May 10 11:29:52 EDT 2018 

On Tue, May 08, 2018 at 11:21:20PM -0700, John Gilmore wrote:
>

> As I recall from using it for various things over the last 30 years,
> its UI is stupid; like PGP, it assumes that you want one identity to
> authenticate you to everyplace you go, instead of making it easy to
> use separate identities with separate vendors;

>From an end-user perspective, Heimdal and MIT Kerberos do not
provide much of the UI with which users actually interact.  They
are mostly libraries which are loaded into existing applications.
Currently, it is certainly possible for an application to understand
that a user may have multiple identities and select which one to
use in different circumstances.

>                                                it still hasn't learned
> about the Domain Name System and instead has its own strange idea of
> not-quite-domain "REALMS"; etc.

In most installations, realms are mapped directly to DNS domains.
Realms provide a layer of indirection that allows administrators
to group subdomains into a single Kerberos realm to ease management.

Kerberos is actually much more similar to and aligned with DNS in
most installations than most other authentication solutions.  Cross
realm trust is by default hierarchical and follows the same patterns
as DNS delegation.

>                                  But does it do the basic thing --
> authentication without sending plaintext passwords -- that you're
> asking for?  It's already an Internet standard, and even widely used
> on Microsoft platforms.  Could it be de-crufted for use in web
> authentication?

There is a standard for using Kerberos in HTTP and it is widely
implemented and used.

> Also, the last (Ubuntu) kerberos I tried to use seemed to still be
> using a SHA1 HMAC, even though it is also using aes256
> ("aes256-cts-hmac-sha1-96")?  And it seemed to have some single-DES
> keys lying around "for compatability with K4", along with an RC4-HMAC
> and a 3DES key?  At first glance, that looks perfect for downgrade
> attacks.

You have to work hard to enable DES support.  It is disabled by
default in both Heimdal and MIT Kerberos.  I don't recall that
there are any vulnerabilities with an HMAC which uses sha1.  sha2
is also supported.  Yes, 3des and rc4 are still supported for
compatibility with previous releases but no one is required to use
them.

--
    Roland C. Dowdeswell                   http://Imrryr.ORG/~elric/

More information about the cryptography mailing list