Modifications to Kerberos internals

Sam Hartman hartmans at MIT.EDU
Mon Nov 29 09:12:54 EST 2004

>>>>> "Venu" == Venu Satuluri <venusatuluri at> writes:

    Venu> Sorry for the late reply.  We intend to make a public-key
    Venu> cryptograhy version of Kerberos. There is a quite a bit of
    Venu> literature regarding this, but I am not sure if any scheme
    Venu> has been successfully implemented. (I would be grateful if u
    Venu> could share any information regarding this). 

There is active work on
.  I think there are at least two implementations that are fairly
close to this spec.

    Venu> We want to
    Venu> implement a bare-bones version (this is for a 4-month senior
    Venu> year project), and in keeping with that we want to retain as
    Venu> much of the source code as is possible. We intend to change
    Venu> the code relating to the message structures, and the
    Venu> processing of messages by the various parties.

    Venu> We spent some time examining the source code, as well as the
    Venu> rfc for krb-protocol. Nevertheless, our project requires a
    Venu> better understanding of the internals than the source code
    Venu> supplies. Still looking for any such documentation.

There isn't any.  There are discussions of parts of the code that have
happened over the years on this list; there are some documents for
parts of the code but none related to what you are working on.

If you want to implement pkinit, you'll need to understand
kdc/kdc_preauth.c and lib/krb5/krb /preauth2.c in significant detail.
You'll need to understand the ASN.1 encoders in /lib/krb5/asn.1 or
supply your own.


More information about the krbdev mailing list