On Wed, May 1, 2013 at 9:50 AM, Florian Weimer <f...@deneb.enyo.de> wrote: > I've recently been asked to comment on a key exchange protocol which > uses symmetric cryptography and a mutually trusted third party. The > obvious recommendation is to copy the Kerberos protocol (perhaps with > updated cryptographic primitives), but let's assume that's not > feasible for some reason.
Kerberos has a few flaws, mostly with trivial effects or which have been fixed subsequently. Most, if not all of these flaws are about unauthenticated plaintext: the Ticket in the KDC-REP, for example, but also PA-DATA in KDC-REP, and KRB-ERROR in cases where the error can be authenticated because a session key could be established. FAST (RFC6113) fixes these issues, except for KRB-ERROR in AP exchanges, but it's not as elegant as it could have been if Kerberos had not had these problems from the word go. Another problem is that all of the cross-realm work should preferably be done by the client principal's KDC as an option to keep clients simple. (This at some costs in policy that can be expressed, or how to express and deploy it.) Nico -- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography