From: charliemason on
In Kerberos V4 The KDC database isn't encrypted as a whole. Instead each
user's master key is independently encrypted with the KDC master key.

If replication was done with a standard download (instead of the
cryptographic integrity check which is performed). How could a bad guy who
is a principal registered with a KDC impersonate Alice, another principal
registered with that KDC? What is it that the cryptographic check is
preventing the bad guy from doing?

I would have thought that modifying details in the database would just
corrupt it?


From: David Wagner on
I don't know the answer to your question, but I'll also provide you
with some context. If the goal is to learn crypto, I don't know how
much value there is in trying to understand all of the details of the
crypto protocols in Kerberos V4. The crypto in Kerberos V4 is flawed
and was implemented before people fully understood now-standard concepts,
such as the difference between encryption (for confidentiality) vs MACs
(for integrity), the importance of security against chosen-ciphertext
attacks, and so on. Consequently, if you're looking to Kerberos V4 as
a historical example to learn from, don't assume that they necessarily
got all the gory details absolutely right -- because we know some aspects
of it are, by today's standards, substandard.
From: David Wagner on
charliemason wrote:
>I would have thought that modifying details in the database would just
>corrupt it?

Not necessarily. Encryption doesn't necessarily provide integrity.
It's a common misconception that encryption provides integrity because
"modifying a ciphertext would just corrupt the plaintext" -- but that
conception is not accurate, as is explained in modern crypto textbooks.

A message authentication code (MAC) computed across the database would
ensure that changes are detected, but if there is no MAC and the
database is merely encrypted, it might be possible to cause mischief
by modifying the database.