Internet Privacy Guaranteed

["James M. Cobb" <jcobb@ahcbsd1.ovnet.com>]

  Friend, 
 
 
                           (KEY #1) 
 
 
  Date: Mon, 19 Feb 1996 20:01:06 -0500
  From: "Perry E. Metzger" <perry@piermont.com>
  To: IPG Sales <ipgsales@cyberstation.net>
  Cc: cypherpunks@toad.com
  Subject: Re: Internet Privacy Guaranteed ad (POTP Jr.)

  [snip]  
 
  > ...keymanagem,ent makes RSA systems unmanageable for large 
  > organizations - offer such a suystem to Merrill Lynch and be 
  > laughed out of the office.... 

  [snip] 

  Even private key systems are quite workable. I actually work 
  with these firms [large organizations] -- its what I do for a 
  living. They have existing systems based on KDCs (do you even 
  know what a KDC is?) and they function just fine. As for public 
  key technologies, they [large organizations] are in many cases 
  implementing technologies based on public key system. 
 
  [snip] 
 
                            (KEY #2) 
 
 
  Date: Mon, 19 Feb 1996 20:37:42 -0500
  From: "Perry E. Metzger" <perry@piermont.com>
  To: IPG Sales <ipgsales@cyberstation.net>
  Cc: cypherpunks@toad.com
  Subject: Re: Internet Privacy Guaranteed ad (POTP Jr.) 
 
  [snip] 
 
  IPG Sales writes:
  > there is no need in talking in circles - You may think that 
  > you know everything there is to know about encryption, but 
  > believe me, there is a lot more for you to learn - I do not 
  > now what KDC's are,

  Key Distribution Centers, the center of Needham-Schroeder and 
  similar key management protocols, like the Kerberos protocols. 
 
  [snip] 
 
 
                             (KEY #3) 
 
  
  Date: Tue, 20 Feb 1996 01:28:01 -0700
  From: Nelson Minar <nelson@santafe.edu>
  To: cypherpunks@toad.com
  Subject: breakable session keys in Kerberos v4 
 
  I'm a bit suprised this hasn't turned up yet on Cypherpunks.  A couple
  of forwarded messages: first, an announcement made Fri Feb 16 by Gene
  Spafford at COAST about an exploitable flaw they've found in Kerberos,
  and then a comment on the www-security list that it is due to a bad
  random number generator. Same old story! 
 
  The message (lifted from the COAST web site)
 
  [snip] 
 
  (a comment I found in reply [to the COAST message]) 
 
  ------- Start of forwarded message -------
  From: jis@mit.edu (Jeffrey I. Schiller)
  Subject: Re: Kerberos Vulnerability
  Newsgroups: hks.lists.www-security
  Date: 19 Feb 1996 21:42:08 -0500
  Organization: HKS, Inc.
  Path: hks.net!news-mail-gateway!owner-www-security
  Lines: 8
  Sender: root@hks.net
  Message-ID: <ad4e9fc40602100421be@[18.162.1.1]>
  NNTP-Posting-Host: bb.hks.net
 
  There will be a fix distributed by MIT later this week. The problem is 
  that the random number generator in V4 is worse then we thought! The 
  fix is to retrofit the V5 generator (which is decent) into the V4 KDC. 
  Note: Only the KDC needs to be updated, clients and servers are unaf- 
  fected. 
 
                                -Jeff
 
 
  ------- End of forwarded message -------
 
 
 
                               (KEY #4) 
 
 
  Kerberos offers a better network security model than ignoring 
  network security entirely.  Unfortunately, it is plagued with 
  holes, from windows that remain "authenticated" for hours while 
  the user is at lunch, to passwords that are stored in plain text 
  on the authentication server. 
 
        Page 553 of: 

        Evi Nemeth, Garth Snyder, Scott Seebass, Trent R Hein. 
 
        UNIX System Administration Handbook. Second Edition. 
 
        Prentice Hall PTR. 
 
        1995. 
 
        ISBN: 0 13 151051 7 
 
        email: sa-book@admin.com 
 
        http://www.admin.com 
                  
 
 
  Cordially, 
 
  Jim 
 
 
 
  NOTE.  The above message excerpts are reformatted.