Internet Privacy Guaranteed

James M. Cobb jcobb at ahcbsd1.ovnet.com
Tue Feb 20 13:04:54 PST 1996


 
 
  Friend, 
 
 
                           (KEY #1) 
 
 
  Date: Mon, 19 Feb 1996 20:01:06 -0500
  From: "Perry E. Metzger" <perry at piermont.com>
  To: IPG Sales <ipgsales at cyberstation.net>
  Cc: cypherpunks at toad.com
  Subject: Re: Internet Privacy Guaranteed ad (POTP Jr.)

  [snip]  
 
  > ...keymanagem,ent makes RSA systems unmanageable for large 
  > organizations - offer such a suystem to Merrill Lynch and be 
  > laughed out of the office.... 

  [snip] 

  Even private key systems are quite workable. I actually work 
  with these firms [large organizations] -- its what I do for a 
  living. They have existing systems based on KDCs (do you even 
  know what a KDC is?) and they function just fine. As for public 
  key technologies, they [large organizations] are in many cases 
  implementing technologies based on public key system. 
 
  [snip] 
 
                            (KEY #2) 
 
 
  Date: Mon, 19 Feb 1996 20:37:42 -0500
  From: "Perry E. Metzger" <perry at piermont.com>
  To: IPG Sales <ipgsales at cyberstation.net>
  Cc: cypherpunks at toad.com
  Subject: Re: Internet Privacy Guaranteed ad (POTP Jr.) 
 
  [snip] 
 
  IPG Sales writes:
  > there is no need in talking in circles - You may think that 
  > you know everything there is to know about encryption, but 
  > believe me, there is a lot more for you to learn - I do not 
  > now what KDC's are,

  Key Distribution Centers, the center of Needham-Schroeder and 
  similar key management protocols, like the Kerberos protocols. 
 
  [snip] 
 
 
                             (KEY #3) 
 
  
  Date: Tue, 20 Feb 1996 01:28:01 -0700
  From: Nelson Minar <nelson at santafe.edu>
  To: cypherpunks at toad.com
  Subject: breakable session keys in Kerberos v4 
 
  I'm a bit suprised this hasn't turned up yet on Cypherpunks.  A couple
  of forwarded messages: first, an announcement made Fri Feb 16 by Gene
  Spafford at COAST about an exploitable flaw they've found in Kerberos,
  and then a comment on the www-security list that it is due to a bad
  random number generator. Same old story! 
 
  The message (lifted from the COAST web site)
 
  [snip] 
 
  (a comment I found in reply [to the COAST message]) 
 
  ------- Start of forwarded message -------
  From: jis at mit.edu (Jeffrey I. Schiller)
  Subject: Re: Kerberos Vulnerability
  Newsgroups: hks.lists.www-security
  Date: 19 Feb 1996 21:42:08 -0500
  Organization: HKS, Inc.
  Path: hks.net!news-mail-gateway!owner-www-security
  Lines: 8
  Sender: root at hks.net
  Message-ID: <ad4e9fc40602100421be@[18.162.1.1]>
  NNTP-Posting-Host: bb.hks.net
 
  There will be a fix distributed by MIT later this week. The problem is 
  that the random number generator in V4 is worse then we thought! The 
  fix is to retrofit the V5 generator (which is decent) into the V4 KDC. 
  Note: Only the KDC needs to be updated, clients and servers are unaf- 
  fected. 
 
                                -Jeff
 
 
  ------- End of forwarded message -------
 
 
 
                               (KEY #4) 
 
 
  Kerberos offers a better network security model than ignoring 
  network security entirely.  Unfortunately, it is plagued with 
  holes, from windows that remain "authenticated" for hours while 
  the user is at lunch, to passwords that are stored in plain text 
  on the authentication server. 
 
        Page 553 of: 

        Evi Nemeth, Garth Snyder, Scott Seebass, Trent R Hein. 
 
        UNIX System Administration Handbook. Second Edition. 
 
        Prentice Hall PTR. 
 
        1995. 
 
        ISBN: 0 13 151051 7 
 
        email: sa-book at admin.com 
 
        http://www.admin.com 
                  
 
 
  Cordially, 
 
  Jim 
 
 
 
  NOTE.  The above message excerpts are reformatted. 
 
 
 







More information about the cypherpunks-legacy mailing list