[7660] in Kerberos
Re: Master key confusion
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Jul 22 20:44:39 1996
To: kenh@cmf.nrl.navy.mil (Ken Hornstein)
Cc: kerberos@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 22 Jul 1996 20:35:49 -0400
In-Reply-To: kenh@cmf.nrl.navy.mil's message of 8 Jul 1996 14:07:14 -0400
>>>>> "Ken" == Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
Ken> I was talking with a friend last week about the Kerberos 5
Ken> database, and we realized there was some confusion about the
Ken> way the master key works.
Ken> (Just for the record, I'm running MIT Kerberos 5 beta 6).
Ken> I know that all the entries in the Kerberos 5 database are
Ken> encrypted with the master key. I'm wondering, however, if
Ken> it's possible to ever _change_ the master key? I mean, I
Ken> know it's possible to say "cpw K/M", but I'm wondering if
Ken> that keeps the old key around for decrypting older passwords,
Ken> or would you have to change all the passwords at that time as
Ken> well? Or is it not really practical to change the master key
Ken> at all?
I think that depending on how it is implemented, cpw k/m will
either have no effect or will trash your database; I don't care to try
and I don't have any unimportant databases around. I know it
certainly doesn't do the right thing.
One of the Kerberos developers wrote patches to kdb5_edit that
convert a database from one master key to another; those patches need
some cleaning up before they can be incorperated into the source tree.
Versions of Kerberos previous to Beta 6 had a field in the
database for the master key version; this field was removed, requiring
all keys to be changed at once. Personally, I feel this was an error,
and hoping that the field will be added back in as part of integrating
the OpenVision administration system.
Ken> Also, is the key entered at KDC startup/kdb5_stash the master
Ken> key used to decrypt all passwords, or is it just used to
Ken> decrypt the master key stored in the database (K/M) and the
Ken> master key in the database is actually used to decrypt
Ken> everything?
They key you enter into kdb5_create is the master key; it is
stored in k/m so it can be verified, but it is encrypted in itself as
stored in the database.
Ken> (Geez, I'm not sure if that last sentence made any sense or
Ken> not :-) ).
Ken> --Ken
