fouts@lemming. (Marty Fouts) (10/24/88)
Several people have politely pointed out to me that I misunderstood the way in which systems such as Kerberos handle authentication when I said: >The problem with using even a trusted authentication server is >that before I believe that you are the authentication server, you have >to prove you are the authentication server in the presence of the >possibility that someone else will pretend to be the authentication >server, or attempt to cause me to believe you are not. This is technically true, since I cast my statement in terms of authentication servers who were authenticating my claim to be me, an has has been pointed out to me, Kerberos and other such systems allow me to authenticate the server. I would like to retract the original statement, the defense of which would take me far and away from the point I was trying to make, and try to recast my original point. [As an aside, I would like to thank the people who pointed out the work in the CACM in 78 or there abouts. It has been ten years since I read it, and my memory is a little week. I would like to ask the same people if they could provide me with references to the follow on literature, which I read once but didn't maintain a bibliography of.] My main contention was (and remains) that in the face of a hostile network, correct authentication remains an unsolved problem. Kerberos has been described to me as a system working along the lines of [somewhat simplified for exposition] 1) I send a random clear text message to the server. 2) The server encrypts this message using an encryption function and a key which I and the server now and replies. 3) I decrypt the encrypted text. If it matches then I have authenticated the server. [With a one way function I compare the encrypted version returned to the encyrpted version I have calculated.] Optionally, a similar protocol can be used to authenticate me to the server, once I trust it. The naive description of the algorithm contains some glaring flaws, and various extentions tighten up the problems. Neither the naive version described here, nor the attempted sophistications address the problem of an outside source obtaining or deducing the key; rather it is *assumed* that the key is safe. This is my original thesis: Assuming the safety of any part of the system is naive in a hostile environment. For example, the replies I've had about Kerberos say things like "assume the authentication server can be trusted", "assume physical security of the keys." The major feature of *real* security is that a system is as insecure as its least secure part. When I want to evaluate the security of a system, the first thing I look at is the weakness of its assumptions. If you have to assume a proposition whose negation invalidates your security, you have made an overly optimistic assumption. This leads to my original conclusion: Absolute security is at best an unsolved problem, and at worst an unsolvable problem. I am aware of instances in which the 'safe' authentication server has been compromised, the 'unobtainable' keys have been discovered, the 'oneway' encryption algorithm has been inverted, and the 'random' selection of text wasn't. OK. I goofed on the details of the Kerberos system, but I still maintain the original thesis. Marty -- +-+-+-+ I don't know who I am, why should you? +-+-+-+ | fouts@lemming.nas.nasa.gov | | ...!ames!orville!fouts | | Never attribute to malice what can be | +-+-+-+ explained by incompetence. +-+-+-+