Re: [kitten] Draft Action: KRB5-KDH: Cryptographically binding Kerberos5 with Diffie-Hellman
Nico Williams <nico@cryptonector.com> Fri, 24 October 2014 22:05 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 309B71A90B5 for <kitten@ietfa.amsl.com>; Fri, 24 Oct 2014 15:05:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eiLWfgDz1lcm for <kitten@ietfa.amsl.com>; Fri, 24 Oct 2014 15:05:51 -0700 (PDT)
Received: from homiemail-a34.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 2EFF41A90B0 for <kitten@ietf.org>; Fri, 24 Oct 2014 15:05:51 -0700 (PDT)
Received: from homiemail-a34.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTP id 09F1C1006D; Fri, 24 Oct 2014 15:05:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=5QtyA6YtjNfZNi 0jrcMpDiA+8RA=; b=g5RAwh47X+5MUG8t5LaIZznKE/zcUdRDiiyC3tl8EExeZz NR4ssXN31RG1YViNcJVN/y9ziYPO+9IwHiz3L46DNnoxfyQJAhoAoGgdhpEAPWQm qrhlZBpvSgBNCvoEGBoDBJRcCfEcj/RGauW5QTJU5TVFEZs+odOg5VB7oFbHA=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTPA id BB7D410060; Fri, 24 Oct 2014 15:05:50 -0700 (PDT)
Date: Fri, 24 Oct 2014 17:05:50 -0500
From: Nico Williams <nico@cryptonector.com>
To: Rick van Rein <rick@openfortress.nl>
Message-ID: <20141024220547.GD6185@localhost>
References: <16764AFA-1D80-4431-A16F-17D49396082B@openfortress.nl> <20141024213333.GA6185@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20141024213333.GA6185@localhost>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/kitten/ZUHXaHtngRHyozxqS3Zw5aQYtSs
Cc: "kitten@ietf.org" <kitten@ietf.org>
Subject: Re: [kitten] Draft Action: KRB5-KDH: Cryptographically binding Kerberos5 with Diffie-Hellman
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 22:05:53 -0000
I should also add that having KDCs know services' public keys is not a crazy idea. I've been wanting to build a DH-based service keying system where the KDC stores the services public keys and _caches_ the DH shared secret keys in the principal database. Services keep their private keys and realms' public keys and _cache_ their DH shared secret keys. I'm sure you can all see advantages to doing this... For example, recovery from KDC principal database compromise mostly involves distributing new public keys for the compromised realm, at least for service keys (client principal keying is another story, but PKINIT helps there). FYI, Roland Dowdeswell has a Kerberos administration system that uses DH (ECDH) to key services, and even supports multi-party DH for keying clusters (atomically!). Storing service public keys in the KDC is not very farfetched at all. Nico --
- [kitten] Draft Action: KRB5-KDH: Cryptographicall… Rick van Rein
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Greg Hudson
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Rick van Rein
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Greg Hudson
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Benjamin Kaduk
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Greg Hudson
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Rick van Rein
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Rick van Rein
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Rick van Rein
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Greg Hudson
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Greg Hudson
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Rick van Rein
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Simo Sorce
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Greg Hudson
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Love Hörnquist Åstrand
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Nico Williams
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Nico Williams
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Nico Williams
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Greg Hudson
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Benjamin Kaduk
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Simo Sorce
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Nico Williams
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Nico Williams
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Benjamin Kaduk
- Re: [kitten] Draft Action: KRB5-KDH: Cryptographi… Nico Williams