CERT statement
Perry E. Metzger
perry at imsi.com
Fri Jan 27 10:53:30 PST 1995
Thomas Grant Edwards says:
> On Thu, 26 Jan 1995, Perry E. Metzger wrote:
>
> > Kerberos per se isn't sufficient to defend against session hijacking
> > attacks, you know. The situation in question is really insidious and
> > requires packet-by-packet cryptographic authentication.
>
> Do you really need to authenticate every packet? Isn't it enough to
> authenticate the party and perform a secure key exchange, then depend on
> the encryption (+ message authentication code for block ciphers) ?
If things are merely encrypted, an attacker can garble them without
being caught -- I can "decrypt" random numbers into other random
numbers if I want. Think of an attacker trying to sabotage the
transfer of a binary file and you'll see why you need authentication.
Perry
More information about the cypherpunks-legacy
mailing list