17 Dec
2003
17 Dec
'03
11:17 p.m.
Thomas Grant Edwards says:
On Thu, 26 Jan 1995, Perry E. Metzger wrote:
Kerberos per se isn't sufficient to defend against session hijacking attacks, you know. The situation in question is really insidious and requires packet-by-packet cryptographic authentication.
Do you really need to authenticate every packet? Isn't it enough to authenticate the party and perform a secure key exchange, then depend on the encryption (+ message authentication code for block ciphers) ?
If things are merely encrypted, an attacker can garble them without being caught -- I can "decrypt" random numbers into other random numbers if I want. Think of an attacker trying to sabotage the transfer of a binary file and you'll see why you need authentication. Perry