"Generating KDC Referrals to Locate Kerberos Realms", Kenneth Raeburn, Larry Zhu, 25-Feb-08. ( bytes)

The memo documents a method for a Kerberos Key Distribution Center (KDC) to respond to client requests for Kerberos tickets when the client does not have detailed configuration information on the realms of users or services. The KDC will handle requests for principals in other realms by returning either a referral error or a cross-realm TGT to another realm on the referral path. The clients will use this referral information to reach the realm of the target principal and then receive the ticket.

"A Generalized Framework for Kerberos Pre-Authentication", Larry Zhu, Sam hartman, 24-Feb-08. ( bytes)

Kerberos is a protocol for verifying the identity of principals (e.g., a workstation user or a network server) on an open network. The Kerberos protocol provides a mechanism called pre-authentication for proving the identity of a principal and for better protecting the long-term secret of the principal. This document describes a model for Kerberos pre-authentication mechanisms. The model describes what state in the Kerberos request a pre-authentication mechanism is likely to change. It also describes how multiple pre-authentication mechanisms used in the same request will interact. This document also provides common tools needed by multiple pre- authentication mechanisms. One of these tools is a secure channel between the client and the KDC with a reply key delivery mechanism; this secure channel can be used to protect the authentication exchange thus eliminate offline dictionary attacks. With these tools, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm.

"ECC Support for PKINIT", Larry Zhu, Karthik Jaganathan, Kristin Lauter, 24-Oct-07. ( bytes)

This document describes the use of Elliptic Curve certificates, Elliptic Curve signature schemes and Elliptic Curve Diffie-Hellman (ECDH) key agreement within the framework of PKINIT - the Kerberos Version 5 extension that provides for the use of public key cryptography.

"Anonymity Support for Kerberos", Larry Zhu, Paul Leach, 30-Jan-08. ( bytes)

This document defines extensions to the Kerberos protocol for the Kerberos client to authenticate the Kerberos Key Distribution Center and the Kerberos server, without revealing the client's identity. It updates RFC 4120. These extensions can be used to secure communication between the anonymous client and the server.

"Additional Kerberos Naming Constraints", Larry Zhu, 24-Oct-07. ( bytes)

This document defines new naming constraints for well-known Kerberos principal name and well-known Kerberos realm names.

"Kerberos Version 5 GSS-API Channel Binding Hash Agility", Shawn Emery, 10-Nov-07. ( bytes)

Currently, the Kerberos Version 5 Generic Security Services Application Programming Interface (GSS-API) mechanism [RFC4121] does not have the ability to utilize better hash algorithms used to generate channel binding identities. The current mechanism for doing this is hard coded to use MD5 only. The purpose of this document is to outline changes required to update the protocol so that more secure algorithms can be used to create channel binding identities. The extensibility of this solution also provides an eventual replacement of identities based solely on hash algorithms.

"Problem statement on the cross-realm operation of Kerberos", Shoichi Sakane, 18-Dec-07. ( bytes)

There are some issues when the cross-realm operation of the Kerberos Version 5 [RFC4120] is employed into actual specific systems. This document describes some examples of actual systems, and lists requirements and restriction of the operation in such system. Then it describes issues when we apply the cross-realm operation to such system.

"OTP Pre-authentication", Gareth Richards, 30-Apr-08. ( bytes)

The Kerberos protocol provides a framework authenticating a client using the exchange of pre-authentication data. This document describes the use of this framework to carry out One Time Password (OTP) authentication.

"An information model for Kerberos version 5", Leif Johasson, 6-Feb-08. ( bytes)

This document describes an information model for Kerberos version 5 from the point of view of an administrative service. There is no standard for administrating a kerberos 5 KDC. This document describes the services exposed by an administrative interface to a KDC.

Return to Internet-Draft directory.

Return to IETF home page.