[EMAIL PROTECTED] writes: > Unless I'm vastly misunderstanding your terms, your understanding > is, well, "inside out" at best.
Nope, you weren't misunderstanding my terms, I just had the procedure completely wrong in my head. > V4: no prove, just assert. > V5: well, there's preauth, but it is weak; mostly, also assert. > > The ticket you get is encrypted in a key you are expected to have, > namely string2key of your password. This makes things _so_ much clearer -- thanks! > [snip explanation] Well, it makes perfect sense now. > Google for "zanarotti attack" if you want to find details of the > common security failure resulting from the assumption that being > able to decrypt a kdc response in a key handed to you by a user > means *anything*... Thanks for the reference. After reading a little, I see now why this is necessary. Thanks, -- Josh Huber ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
