need project review
Ken Raeburn
raeburn at MIT.EDU
Mon Apr 7 18:37:02 EDT 2008
On Apr 7, 2008, at 15:42, Nicolas Williams wrote:
> Of course, ideally you could have the KDC implemented so no long term
> key material ever leaves a hardware token. I used to be a fan of that
> until I realized that that would mean putting so much of the KDC
> implementation in the token that it may not be worthwhile. Instead
> folks should minimize the network footprint of their KDCs and provide
> extra physical security for them.
This idea has been explored before; see, for example, the USENIX
Security Symposium paper from 2000 by Naomaru Itoi (then at CITI,
UMich), on moving much of the KDC functionality into the IBM 4758
secure coprocessor. Implementing it efficiently would take a bit more
work; whether it's worthwhile depends, I suppose, on the threat model
and desired deployment model. But it seems like an interesting idea
to me.
Ken
More information about the krbdev
mailing list