Smart lock protocol

Rick van Rein rick at openfortress.nl
Mon Mar 9 10:24:56 EDT 2015


Hi Simon,

First off, Kerberos-enabled front doors sound really cool to me.
It would be a lovely showcase of the protocol, and although it’s
not mainstream thinking it may turn out to be a genius idea.

But you and your visitors would need to setup a KDC link, get a
TGT and then a service ticket.  If you wrap that all up in your
app and provide the required access to the KDC to your guests
you should be fine.  Your guests would probably enter a fixed
PIN on their devices as the password to get the TGT.  The cleaning
people could use the same PIN everywhere this system was
used, and the separation between homes would still be secure
as long as the same TGT was used (implies realm crossover).

You would end up setting up some form of authorisation (just a
lookup table of some sorts, for example, or simply scripted rules)
for your various guests, switching based on their Kerberos-
authenticated user identities.

More conventional thinking, and IMHO not nearly as interesting,
would be to assign a public key (possibly wrapped up in an X.509
cert of PGP key) and manage which public keys may be used.
You’ll end up managing keys and noticing how difficult that is;
especially storing the private keys securely may be a drama.

If you build with Kerberos technology and embedded in some sort
of app then I’m pretty sure you’ll get popular for it.  If you go the
traditional way and use pubkeys with badly protected private keys
nobody will notice it.  Does that tickly you to continue on your path
with Kerberos, even if it’s a bit out of the ordinarily?  I for one would
love to see what you cook up — and it *is* possible.

Cheers,
 -Rick


More information about the Kerberos mailing list