回复: Using a master key and principal name to derive password for principal
Coe Ts7
tm3y at hotmail.com
Tue Oct 15 03:00:07 EDT 2019
Maybe use something like HMAC(secret_key, principal_name) or PBKDF2(HMAC(master_secret_key, principal_name))(kerberos will do PBKDF2) as the principals' password,
Then I delivery the dervied passwords to the correspond principals. Then kerberos could authenticate the user with only a single maseter_secret_key.
Is this secure?
Regards,
tm3y
________________________________
发件人: Coe Ts7
发送时间: 2019年10月15日 3:46
收件人: krbdev at mit.edu <krbdev at mit.edu>
主题: Using a master key and principal name to derive password for principal
Hi,
I'm look for a simple but effective High Available solution for kerberos.
In my deployment, I will use kerberos PKINIT. So there's a chance that the kerberos doesn't store principal list, just generate ticket according the name in PKI certificate.
And I try to go further and make kerberos not to store principal password, so that the kerberos is completely stateless and fully trusts PKI.
To achieve that, I want to use some crypto & hashing mechanisms to make all kerberos instances could calculate the same password for each principal through a shared master key and principal name.
I'm wondering is this way secure cryptographically? If so, is there some source code for reference to make this algorithm implemented?
Thanks in advance!
Regards,
tm3y
More information about the krbdev
mailing list