Reference no: EM1379596

Question1. Assume we want to use Kerberos for securing electronic mail. The obvious way of accomplishing this is for Alice, when sending a message to Bob, to obtain a ticket for Bob and include that in the email message, and to encrypt and/or integrity-protect the email message using the key in the ticket. The problem with this is that then the KDC would give Alice a quantity encrypted with Bob's password-derived master key, and then Alice could do off-line password guessing. How might Kerberos be extended to secure email without allowing off-line password guessing?
(Hint: Issue human users an extra, unguessable master key for use with mail, and extend the Kerberos protocol to allow Bob to safely obtain his unguessable master key from the KDC.)

Question2. Suppose we are using secret key technology. What is wrong with the following source authentication scheme?
Alice chooses a per-message secret key K, and puts an encrypted version of K in the header for each recipient, (ie Bob and Ted). Next, Alice uses K to compute a MAC on the message, say a DES-CBC residue, or to compute a message digest of K and append it to the message.

(Hint: this works fine for a single recipient, but there is a security problem if Alice sends a multiple-recipient message. Once they receive the message, Bob and Ted know both K and K encrypted with the key they share with Alice. This allows either to forge a message to the other as if it were from Alice.)