[166] in Kerberos
On the security of kerberos (need fo
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:36:50 1987
From jis@BITSY.MIT.EDU Wed Feb 18 15:58:19 1987
Date: Wed, 18 Feb 87 15:56:30 EST
From: Jeffrey I. Schiller <jis@BITSY.MIT.EDU>
To: kerberos@athena.mit.edu
Subject: On the security of kerberos (need for physical security)
All this talk of how to deliver the keys isn't really addressing the
likeliest form of attack, namely:
1) Obtain physical access to a kerberos slave machine.
2) Deposit a trap door program that allows a remote root login at
a later time.
3) Arrange it to look like the system crashed in some "normal" maner.
4) Wait for the system to be restarted.
5) Now while the machine is running, utilize trap door, make a copy of the
database and use the "gcore" program to grab a core image of the
running kerberos server and extract the master key (or the equivalent
of the master key for the database copy you must made).
6) Done. And let Athena beware!
Providing physical security is the key here (no pun intended). Encryption
hardware would help (if the hardware allows the key to be written, but
not read out, and it clears the key memory on bus reset).
-Jeff
