Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Why the dislike of X.509?



Richard Pieri <richard.pieri at gmail.com> writes:

> As an aside:
>
> On 8/26/2014 1:04 PM, Derek Atkins wrote:
>> You (or someone) also brought up Kerberos.  Kerberos *IS* a key escrow
>> system.  If an attacker breaks into your KDC they literally have all the
>> keys to your kingdom.  Not only can they impersonate anyone, they can go
>
> I operate a Kerberos realm. I am not able to tell my users their
> passwords. I don't have them. Kerberos stores one-way hashes of users'
> passwords. I could brute force the database with sufficient time but
> that is steps removed from having the actual keys in my hands.

Passwords?  We don't need no stinking passwords!  You don't need to know
your user's passwords, you have access to their keys!  If I could dump a
copy of your KDC database then I could then impersonate any user (or
server!) on your network and read all their traffic.  I don't need to
know their passwords to do that.

> A bad actor can do quite a bit with a compromised KDC but these things
> are well known. Steps to prevent compromise are well documented as are
> steps to identify compromised KDCs and mitigate the damage that they can do.

A bad actor can do *everything* with a compromised KDC.  Yes, there are
steps to prevent compromise, just like there are steps to prevent
compromise of an X.509 CA.  The main difference here is that if I
compromise your KDC I can now read all the previously-encrypted traffic,
whereas with a compromised X.509 CA all I can do is impersonate players
in the future.  I.e., a KDC Capture gives you *past* communications!

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org