Moving Kerberos to the Cloud?

Tom Yu tlyu at MIT.EDU
Wed Dec 7 18:35:23 EST 2011


Nico Williams <nico at cryptonector.com> writes:

> Even if the savings overwhelm the costs, you still need to look at
> risk, and thus the security attributes of the cloud in question.  With
> risk in the picture I suspect no one would move a KDC to a cloud.

For the public cloud case, I would agree with you.  The cloud service
provider would have the technical ability to impersonate anyone in
your organization at any time.  (I'll ignore the possibility of using
homomorphic encryption as a workaround due to its current extreme
inefficiency.)

Private cloud IaaS or PaaS where all of the underlying components are
under the physical and administrative control of the organization
might be an acceptable risk to some organizations.  They would have to
consider whether the benefits of their cloud outweigh the risks to
reliability (virtualization software can be quite complex) and
security (which physical disks have ever held high-value crypto
keys?).

High availability, one possible reason for wanting to use cloud
services for Kerberos, is less necessary for a KDC host than some
services.  For example, usually once a client has all the service
tickets it needs for a login session, it doesn't need to contact the
KDC again until the tickets expire.  Deployments where there is a lot
of KDC traffic from applications using the KDC to validate cleartext
passwords (contrary to the design goals of Kerberos) might have a
greater need for KDC availability, though.


More information about the Kerberos mailing list