What happens if my KDC is compromised?

Ken Raeburn raeburn at MIT.EDU
Fri Sep 17 14:33:04 EDT 2010


On Sep 17, 2010, at 08:16, John Hascall wrote:
>> What would be the implications if my KDC was compromised and an attacker 
>> got a hold of the KDB or in my case the LDAP directory storing principal 
>> information?
> 
> The implication is you are now well and truly f***ed.

(Nit-picking a little: In the MIT code, the KDB data is stored encrypted in the master key, and the master key can be stored separately.  So if someone only gets all your LDAP data, and the master key isn't stored there, you've got another line of defense.  Though, the master key is usually password-derived, and until recently was hard to change and impossible to switch to a new encryption type.  So it's not a *great* line of defense, but it's not necessarily all over right away.)

This is why, every now and then, people revisit the idea of some kind of "tamper-proof" hardware for the core of the KDC, which would theoretically self-destruct and not reveal the master key if tampered with; external communication would be limited to a few KDC messages and (encrypted, and maybe signed) KDB data, to reduce the vulnerability exposure possibilities in that code, even if the computer housing the tamper-proof card were compromised.  It's an interesting idea, but AFAIK it hasn't gone beyond research projects so far.

Ken



More information about the Kerberos mailing list