"A Generalized Framework for Kerberos Pre-Authentication", Sam Hartman, Larry Zhu, 30-Jul-09. ( bytes)

Kerberos is a protocol for verifying the identity of principals (e.g., a workstation user or a network server) on an open network. The Kerberos protocol provides a mechanism called pre-authentication for proving the identity of a principal and for better protecting the long-term secrets of the principal. This document describes a model for Kerberos pre-authentication mechanisms. The model describes what state in the Kerberos request a pre-authentication mechanism is likely to change. It also describes how multiple pre-authentication mechanisms used in the same request will interact. This document also provides common tools needed by multiple pre- authentication mechanisms. One of these tools is a secure channel between the client and the KDC with a reply key strengthening mechanism; this secure channel can be used to protect the authentication exchange thus eliminate offline dictionary attacks. With these tools, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm.

"Using Kerberos V5 over the Transport Layer Security (TLS) protocol", Simon Josefsson, 31-Jul-09. ( bytes)

This document specify how the Kerberos V5 protocol can be transported over the Transport Layer Security (TLS) protocol, to provide additional security features.

"Problem statement on the cross-realm operation of Kerberos", Shoichi Sakane, 31-Jul-09. ( bytes)

As industrial automation is moving towards wider adoption of Internet standards, the Kerberos authentication protocol represents one of the best alternatives for ensuring the confidentiality and the integrity of communications in control networks while meeting performance and security requirements. However, the use of Kerberos cross-realm operations in large scale industrial systems may introduce issues that could cause performance and reliability problems. This document describes some examples of actual large scale industrial systems, and lists requirements and restriction regarding authentication operations in such environments. The document then describes standing issues in the Kerberos cross- realm authentication model that should be fixed before Kerberos can be adopted in large scale industrial systems.

"OTP Pre-authentication", Gareth Richards, 8-Apr-09. ( bytes)

The Kerberos protocol provides a framework authenticating a client using the exchange of pre-authentication data. This document describes the use of this framework to carry out One Time Password (OTP) authentication.

"Initial and Pass Through Authentication Using Kerberos V5 and the GSS- API (IAKERB)", Larry Zhu, Jeffrey Altman, 30-Jul-09. ( bytes)

This document defines extensions to the Kerberos protocol and the GSS-API Kerberos mechanism that enable a GSS-API Kerberos client to exchange messages with the KDC using the GSS-API acceptor as the proxy, by encapsulating the Kerberos messages inside GSS-API tokens. With these extensions a client can obtain Kerberos tickets for services where the KDC is not accessible to the client, but is accessible to the application server.

"An information model for Kerberos version 5", Leif Johansson, 31-Jul-09. ( bytes)

This document describes an information model for Kerberos version 5 from the point of view of an administrative service. There is no standard for administrating a kerberos 5 KDC. This document describes the services exposed by an administrative interface to a KDC.

Return to Internet-Draft directory.

Return to IETF home page.