Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

[Nicolas Williams <Nicolas.Williams@sun.com>]

On Fri, Aug 19, 2005 at 11:10:35PM -0400, Shumon Huque wrote:
> Kerberos has always assumed that the network is completely insecure
> and the general defense against offline dictionary attack is strong
> passwords. I agree that perhaps this isn't enough anymore. But then, 

That's fair for Kerberos IV, but Kerberos V always allowed for new
pre-authentication methods, while Kerberos IV lacked even pre-auth.

> I think the Kerberos community needs to work on standardizing password 
> based pre-authentication mechanisms invulnerable to dictionary attack 
> (perhaps EKE, AEKE, SPEKE, SRP etc). Hardware pre-authentication
> mitigates the threat somewhat. But PKINIT isn't really an option for 
> the many sites that don't plan to authenticate users with public key 
> credentials (or deploy PKI).

Did you attend the SACRED WG meeting at IETF 63?

> At one time, some of us were talking about an EAP method that
> transported Kerberos messages directly. It seems to me that putting
> some effort into completing that work would be immediately useful
> to Kerberos sites that need to deploy 802.1X or 802.11i soon.

Indeed.  That would be an example of framework bindings of a security
mechanisms, as opposed to EAP-GSS, which would be a bridge.

Nico
-- 

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech