NESSETT@CCC.MFECC.LLNL.GOV (05/18/89)
Cliff, Thanks for your response. You make some good points. However, there are some fine points that I would like to address: o If you are saying that physical security in an "open" environment is such as to render workstations relatively vulnerable to attack, I would agree. To counter-measure physical security problems requires physical security solutions, such as hardening the workstations so that surreptitious entry zeros all memory, using phsically protected file servers and diskless workstations, encrypting the traffic between workstations and file servers, etc. Certainly this is easier said than done and I am open to the argument that the environment in which Athena is intended to operate would not realistically support the cost or administration of such measures. However, even given proper physical security, workstations are open to attacks on their software. Granting that current operating systems leave their application space and kernel space equally vulnerable, it still is possible to place encryption functions (including ticket and authenticator manipulations) within a cryptographic peripheral, so that keys are protected. Thus, compromising the operating system would not compromise the cryptographic keys. Passwords would have to be entered directly into the peripheral, so that they do not appear in application or kernel space. The cost of such a peripheral should not be excessive, although obviously I cannot judge whether this cost would be acceptible within the context of Athena. Without either physically protecting the workstation or the encryption functions, it is not clear to me that Kerberos offers a high level of protection. Perhaps you could provide the set of threats that Kerberos is designed to thwart. o Certainly it is true that a workstation could make unsolicited requests even when a smart card is employed, as you suggest. However, an encrypting smart card has the advantage that no one cn steal the user's password or encryption keys, using them without the card. Thus, an intruder must know the password *and* be in possession of the proper card (or have the card connected to a workstation he has compromised) in order to cause damage. This increases the workfactor necessary to gain indefinite access (in terms of time interval) to a user's resources and short of that, limits the opportunity for resource use (only while the card is connected to a compromised workstation. o It is rather easy, not difficult, to lie about a workstation's IP address through a judicious (perhaps this is the wrong word) use of the ARP protocol. I think security mechanisms should significantly lessen the probability of some threat, not just irritate intruders. o I guess I would like to see a fleshed out proposal of the clock synchronization protocol you suggest before passing judgment on its merits.