What happens if my KDC is compromised?

Bram Cymet bcymet at cbnco.com
Fri Sep 17 13:54:22 EDT 2010 

  Just to be clear we did not have our KDC hacked. I was just purposing 
a hypothetical situation so that we could properly asses the risks 
involved.

Now based on comments that we have received from the kerberos community 
we have redesigned our authentication plan.

On 09/17/2010 09:10 AM, ronnie sahlberg wrote:
> They got to the kdc?
> Ouch.
>
>
> Black hat can very likely now authenticate as any user in your
> authentication domain to any service. Access any file on your NAS, any
> document.
> If they got to the kdc, it is basically game over.
>
> You have to re-key every single password in the entire realm.
> Depending on how sensitive the systems are and the data, and how
> paranoid you are, you might consider rebuilding/reinstalling all
> systems from scratch. Servers, workstations,  everything. And restore
> data from the last known good backup before the systems got
> compromised.
>
>
> I am so happy I am not you right now.
>
>
>
> regards
> ronnie sahlberg
>
> On Fri, Sep 17, 2010 at 9:28 PM, Bram Cymet<bcymet at cbnco.com>  wrote:
>>   Hi,
>>
>> What would be the implications if my KDC was compromised and an attacker
>> got a hold of the KDB or in my case the LDAP directory storing principal
>> information?
>>
>> As far as I have been able to tell this attacker can now authenticate as
>> any of my users. I know the passwords are hashed in the directory but it
>> is this hash that is the shared private key between the kdc and the
>> client correct?
>>
>> So an attacker can use this hash to do any pre-auth that is required and
>> authenticate to my KDC.
>>
>> Am I missing something or is it the case that if my KDC was compromised
>> I am in big trouble?
>>
>> If I am using pkinit with certs I believe this problem can be eliminated
>> but using certs is not always an option.
>>
>> Thanks,
>>
>> --
>> Bram Cymet
>> Software Developer
>> Canadian Bank Note Co. Ltd.
>> Cell: 613-608-9752
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>


-- 
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752

More information about the Kerberos mailing list