NESSETT@CCC.MFECC.LLNL.GOV (05/18/89)
Cliff,
Thanks for your response. You make some good points. However, there are some
fine points that I would like to address:
o If you are saying that physical security in an "open" environment is such
as to render workstations relatively vulnerable to attack, I would agree. To
counter-measure physical security problems requires physical security solutions,
such as hardening the workstations so that surreptitious entry zeros all memory,
using phsically protected file servers and diskless workstations, encrypting
the traffic between workstations and file servers, etc. Certainly this is
easier said than done and I am open to the argument that the environment in
which Athena is intended to operate would not realistically support the cost
or administration of such measures.
However, even given proper physical security, workstations are open to
attacks on their software. Granting that current operating systems leave their
application space and kernel space equally vulnerable, it still is possible
to place encryption functions (including ticket and authenticator manipulations)
within a cryptographic peripheral, so that keys are protected. Thus,
compromising the operating system would not compromise the cryptographic keys.
Passwords would have to be entered directly into the peripheral, so that they
do not appear in application or kernel space. The cost of such a peripheral
should not be excessive, although obviously I cannot judge whether this cost
would be acceptible within the context of Athena.
Without either physically protecting the workstation or the encryption
functions, it is not clear to me that Kerberos offers a high level of
protection. Perhaps you could provide the set of threats that Kerberos
is designed to thwart.
o Certainly it is true that a workstation could make unsolicited requests
even when a smart card is employed, as you suggest. However, an encrypting
smart card has the advantage that no one cn steal the user's password or
encryption keys, using them without the card. Thus, an intruder must know
the password *and* be in possession of the proper card (or have the card
connected to a workstation he has compromised) in order to cause damage.
This increases the workfactor necessary to gain indefinite access (in terms
of time interval) to a user's resources and short of that, limits the
opportunity for resource use (only while the card is connected to a compromised
workstation.
o It is rather easy, not difficult, to lie about a workstation's IP address
through a judicious (perhaps this is the wrong word) use of the ARP protocol.
I think security mechanisms should significantly lessen the probability of some
threat, not just irritate intruders.
o I guess I would like to see a fleshed out proposal of the clock
synchronization protocol you suggest before passing judgment on its merits.