Re: How KDC ensure the security of the key in its dbase

[joda@pdc.kth.se (Johan Danielsson)]

Lara Adianto <m1r4cle_26@yahoo.com> writes:

> As I traced the heimdal's code, I found out that the principal's
> long term key is stored in the hdb_entry structure without any
> encryption or any other means of protection.

The keys may be encrypted.

> Is this safe enough? 

> Since the security of the kerberos lies in the possession of the
> key, wouldn't this be a threat since the hacker can try to intercept
> any AS-REQ packet and then with the possession of the key process
> the AS-REQ or TGS-REQ ?

The answer depends on what "safe enough" means. It should be no
surprise to anyone that Kerberos is an all-eggs-in-one-basket
system. You should take all possible measures to make sure nobody can
get into your KDC. I'm not aware of anyone having their KDC hacked,
but it could definitely happen, so there's room for improvments.

It may or may not be better to have them split up (like with a public
key system), as that puts the burden on the user. Some public key
systems have also moved to a central key database where you check out
proxy certificates (does this sound like Kerberos to anyone?).

We've been talking of some sort of privsep setup (with the database in
a separate process and having the kdc and kadmind making calls to it).
This would in theory make it possible to have the database on a
separate machine off the Internet, and would as a side effect make
database locking less of a pain. This could also be combined with some
hardware encryption thingy. We will probably implement this in a
future release.

/Johan