MIT Kerberos KDC crypto tasks offloaded to HSM

Chris Glidden cglidden at
Thu May 15 18:36:59 EDT 2008



Is there a public location where I might be able to view a Kerberos roadmap?


I am curious if there has ever been any thought directed to securing the KDC
master/root key with a Hardware Security Module.


nCipher's products can be used to secure important encryption keys (and
associated algorithms) to add security to applications by shifting key
generation, use, storage, and authorization out of the OS and into a
dedicated piece of hardware.  Common deployments include PKI (securing
Certificate Authority keys), database encryption, identity management
applications, custom crypto applications for PCI compliance, among others.


I am asking because I was approached by a large financial institution that
uses MIT Kerberos that is interested in exploring the possibility of
integrating their KDC with an HSM.  The customer's Kerberos infrastructure
is both substantial and critical to their operations, so they are looking to
add any and all security that they possibly can.


It is possible to communicate with our HSM via the following APIs: PKCS#11,
Java CSP (JCE), Microsoft CAPI (don't laugh), or OpenSSL compiled with CHIL
(cryptographic hardware integration library) support.  We also have our own
native API, but that might not be the easiest solution as it involves
writing new code, rather than altering existing work.


I am curious to hear people's thoughts on this subject.


Thank you,






Sales Engineer



cglidden at

C: 857-222-4269

F: 781-998-7875


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3121 bytes
Desc: not available
Url :

More information about the krbdev mailing list