[324] in Kerberos
Re: Storage of keys in the database and byte order
daemon@TELECOM.MIT.EDU (Steve Miller)
Tue Feb 23 11:24:16 1988
From: miller%erlang.DEC@DECWRL.DEC.COM (Steve Miller)
To: kerberos@ATHENA.MIT.EDU, MILLER%erlang.DEC@DECWRL.DEC.COM
If my memory serves me correctly, the reason I did that was to minimize
the exposure of the master key. It only needs to be exposed once, to
convert into the key schedule, then can be cleared. I don't recall from
the DES algorithm whether the key schedule is uniquely invertible to the
key, but even if it is, it is considerably more work than snatching the key.
I would suggest as an alternative that when the server is initialized use
the master key to ECB encrypt a constant (roughly half the bits 1s, not a zero
constant) once you have the schedule, then use the encrypted constant for
the IV. That way, the master key can be cleared, and can not be recovered
from the one-way encrypted IV.
Steve
