Friend, (KEY #1) Date: Mon, 19 Feb 1996 20:01:06 -0500 From: "Perry E. Metzger" <perry@piermont.com> To: IPG Sales <ipgsales@cyberstation.net> Cc: cypherpunks@toad.com Subject: Re: Internet Privacy Guaranteed ad (POTP Jr.) [snip]

...keymanagem,ent makes RSA systems unmanageable for large organizations - offer such a suystem to Merrill Lynch and be laughed out of the office....

[snip] Even private key systems are quite workable. I actually work with these firms [large organizations] -- its what I do for a living. They have existing systems based on KDCs (do you even know what a KDC is?) and they function just fine. As for public key technologies, they [large organizations] are in many cases implementing technologies based on public key system. [snip] (KEY #2) Date: Mon, 19 Feb 1996 20:37:42 -0500 From: "Perry E. Metzger" <perry@piermont.com> To: IPG Sales <ipgsales@cyberstation.net> Cc: cypherpunks@toad.com Subject: Re: Internet Privacy Guaranteed ad (POTP Jr.) [snip] IPG Sales writes:

there is no need in talking in circles - You may think that you know everything there is to know about encryption, but believe me, there is a lot more for you to learn - I do not now what KDC's are,

Key Distribution Centers, the center of Needham-Schroeder and similar key management protocols, like the Kerberos protocols. [snip] (KEY #3) Date: Tue, 20 Feb 1996 01:28:01 -0700 From: Nelson Minar <nelson@santafe.edu> To: cypherpunks@toad.com Subject: breakable session keys in Kerberos v4 I'm a bit suprised this hasn't turned up yet on Cypherpunks. A couple of forwarded messages: first, an announcement made Fri Feb 16 by Gene Spafford at COAST about an exploitable flaw they've found in Kerberos, and then a comment on the www-security list that it is due to a bad random number generator. Same old story! The message (lifted from the COAST web site) [snip] (a comment I found in reply [to the COAST message]) ------- Start of forwarded message ------- From: jis@mit.edu (Jeffrey I. Schiller) Subject: Re: Kerberos Vulnerability Newsgroups: hks.lists.www-security Date: 19 Feb 1996 21:42:08 -0500 Organization: HKS, Inc. Path: hks.net!news-mail-gateway!owner-www-security Lines: 8 Sender: root@hks.net Message-ID: <ad4e9fc40602100421be@[18.162.1.1]> NNTP-Posting-Host: bb.hks.net There will be a fix distributed by MIT later this week. The problem is that the random number generator in V4 is worse then we thought! The fix is to retrofit the V5 generator (which is decent) into the V4 KDC. Note: Only the KDC needs to be updated, clients and servers are unaf- fected. -Jeff ------- End of forwarded message ------- (KEY #4) Kerberos offers a better network security model than ignoring network security entirely. Unfortunately, it is plagued with holes, from windows that remain "authenticated" for hours while the user is at lunch, to passwords that are stored in plain text on the authentication server. Page 553 of: Evi Nemeth, Garth Snyder, Scott Seebass, Trent R Hein. UNIX System Administration Handbook. Second Edition. Prentice Hall PTR. 1995. ISBN: 0 13 151051 7 email: sa-book@admin.com http://www.admin.com Cordially, Jim NOTE. The above message excerpts are reformatted.