From: @ulysses.att.com:mischu@allegra.att.com To: kerberos@ATHENA.MIT.EDU, krb-protocol@ATHENA.MIT.EDU, Cc: mischu@allegra.att.com Reply-To: smb@ulysses.att.com, mischu@allegra.att.com Date: Fri, 13 Jul 90 09:49:18 EDT Michael Merritt and I have a paper on the limitations of Kerberos, which has been submitted to Computer Communications Review. A draft, in Postscript, is available for anonymous ftp from inet.att.com (192.20.225.2) in ~ftp/dist/kerblimit.ps. --Steve Bellovin smb@ulysses.att.com Abstract: The Kerberos authentication system, a part of MIT's Project Athena, has been adopted by other organizations. Despite Kerberos's many strengths, it has a number of limitations and some weaknesses. Some are due to specifics of the MIT environment; others represent deficiencies in the protocol design. We discuss a number of such problems, and present solutions to some of them. We also demonstrate how special-purpose cryptographic hardware may be needed in some cases.