[19978] in Kerberos_V5_Development
=?gb2312?B?u9i4tDogVXNpbmcgYSBtYXN0ZXIga2V5IGFuZCBwcmluY2lwYWwgbmFtZSB0?=
daemon@ATHENA.MIT.EDU (Coe Ts7)
Tue Oct 15 09:39:41 2019
From: Coe Ts7 <tm3y@hotmail.com>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Date: Tue, 15 Oct 2019 07:00:07 +0000
Message-ID: <HK2PR06MB353987F9B51089FAD49D37279C930@HK2PR06MB3539.apcprd06.prod.outlook.com>
In-Reply-To: <HK2PR06MB3539C9E563B2EAD28946E5AF9C930@HK2PR06MB3539.apcprd06.prod.outlook.com>
Content-Language: zh-CN
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Maybe use something like HMAC(secret_key, principal_name) or PBKDF2(HMAC(master_secret_key, principal_name))(kerberos will do PBKDF2) as the principals' password,
Then I delivery the dervied passwords to the correspond principals. Then kerberos could authenticate the user with only a single maseter_secret_key.
Is this secure?
Regards,
tm3y
________________________________
发件人: Coe Ts7
发送时间: 2019年10月15日 3:46
收件人: krbdev@mit.edu <krbdev@mit.edu>
主题: Using a master key and principal name to derive password for principal
Hi,
I'm look for a simple but effective High Available solution for kerberos.
In my deployment, I will use kerberos PKINIT. So there's a chance that the kerberos doesn't store principal list, just generate ticket according the name in PKI certificate.
And I try to go further and make kerberos not to store principal password, so that the kerberos is completely stateless and fully trusts PKI.
To achieve that, I want to use some crypto & hashing mechanisms to make all kerberos instances could calculate the same password for each principal through a shared master key and principal name.
I'm wondering is this way secure cryptographically? If so, is there some source code for reference to make this algorithm implemented?
Thanks in advance!
Regards,
tm3y
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
