A Trusted Ticket System for Kerberos « Kerberos Blog

A Trusted Ticket System for Kerberos « Kerberos Blog: "There are a number of ways that a Kerberos deployment could make use of the TPM on a Client machine or on a KDC machine. The most obvious is to seal the client-side keying material (when not in use) using the TPM, such as the keytab and the credentials cache. Note that currently these are located on the client machine hard-drive, and thus subject to various attacks. In this sealing scenario the TPM is used in its most basic usage-mode, namely a key storage device. The Kerberos client could simply command the TPM to seal its keying material using a TPM-generated internal key. The resulting (encrypted) blob is returned by the TPM/TSS, and simply placed on the hard-drive or other storage location (e.g. flash)."