[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CERT statement

To: Thomas Grant Edwards <[email protected]>
Subject: Re: CERT statement
From: "Perry E. Metzger" <[email protected]>
Date: Fri, 27 Jan 1995 13:52:48 -0500
Cc: [email protected]
In-Reply-To: Your message of "Fri, 27 Jan 1995 13:47:20 EST." <[email protected]>
Reply-To: [email protected]
Sender: [email protected]

Thomas Grant Edwards says:
> On Thu, 26 Jan 1995, Perry E. Metzger wrote:
> 
> > Kerberos per se isn't sufficient to defend against session hijacking
> > attacks, you know. The situation in question is really insidious and
> > requires packet-by-packet cryptographic authentication.
> 
> Do you really need to authenticate every packet?  Isn't it enough to 
> authenticate the party and perform a secure key exchange, then depend on 
> the encryption (+ message authentication code for block ciphers) ?

If things are merely encrypted, an attacker can garble them without
being caught -- I can "decrypt" random numbers into other random
numbers if I want.  Think of an attacker trying to sabotage the
transfer of a binary file and you'll see why you need authentication.

Perry

Follow-Ups:
- Re: CERT statement
  - From: Thomas Grant Edwards <[email protected]>

References:
- Re: CERT statement
  - From: Thomas Grant Edwards <[email protected]>

Prev by Date: Re: CERT statement
Next by Date: Re: CERT statement
Prev by thread: Re: CERT statement
Next by thread: Re: CERT statement
Index(es):
- Date
- Thread