wesommer@athena.mit.edu (William Sommerfeld) (11/12/88)
In article <1801@sbcs.sunysb.edu>, somebody logged in as root writes: > > Huh? If you let anyone on your Ethernet cable with a PC you've > basically just given up any hope for security. Even active > methods like Kerberos will not protect you from people who > just listen to eg TCP sessions on the cable. So, "you can look, but you can't touch". For the most part, that's good enough for academia, once you train people to know not to type passwords in the clear over a network, which is admittedly easier said than done. Kerberos allows the networked applications to securely exchange a session key; this can allow them to encrypt any "sensitive" data they send, or attach an encrypted checksum to each request in a connection. There isn't much use of this yet, but I suspect that it will become somewhat more common in the future. Given the speed of most software DES encryption implementations, you pay dearly for encrypting entire packets (with an order of magnitude of 100s of milliseconds/packet on each end of a conversation). If you're less concerned about security, you can always use a weaker but faster encryption method, such as XORing the data with bits from a pseudo-random number generator seeded with the session key. - Bill --
leong+@ANDREW.CMU.EDU (John Leong) (11/15/88)
Kerberos works fine for appropriately designed network applications. Unfortunately, a lot of system administrators still uses vanilla Telnet to interact with servers even though the applications themselves use Kerberos. Once that happens, highly previleged passwords can easily be picked off the Ethernet (and easier still off AppleTalk). Human procedural problems tend to still be the weak link regardless of technology improvement. Leong