Public-Key Cryptography Enabled Kerberos Authentication

摘要

Kerberos is a trusted third party authentication protocol based on symmetric key cryptography. This paper studies how Kerberos authentication standard can be extended to support public key cryptography. The paper aims to do this by implementing the most important public-key cryptography extension specifications to the traditional Kerberos standard which incorporate public-key infrastructure (PKI) into the scope of underlying systems trusted by Kerberos. Thus, qualitative experimental measurements can be performed to study and compare various extensions. Although public key crypto-system requires calculations that are computationally expensive, it is well believed that they can eliminate some of Kerberos protocol limitations. The public-key based protocols PKINIT, PKCROSS, and PKTAPP add public-key cryptography support at different stages of the Kerberos framework. They all attempt to improve Kerberos scalability and security by simplifying key management and utilizing trustworthy public-key infrastructures Together. The PKINIT and PKCROSS specifications define a public key based authentication solution across multi-realm Kerberos networks. PKTAPP makes more fundamental changes to the Kerberos standard in an attempt to achieve greater improvements in scalability, security and client privacy issues. Analysis and evaluation have been performed based on our own developed prototype implementations of PKINIT, PKCROSS, and PKTAPP.