Public Key Cryptography Case Study
The study of Public-Key Cryptography Enabled Kerberos Authentication by Sufyan and Mayada (2011) attempt to extend the Kerberos authentication protocol standard to support public key cryptography. This is to eliminate some of the limitations in the standard Kerberos protocol which uses symmetric key cryptography. There are 3 extensions to add support of public-key cryptography at different stages of the Kerberos framework, which are PKINIT, PKCROSS and PKTAPP. Public-Key Cryptography for Initial Authentication in Kerberos (PKINIT) enables the use of public-key cryptography for an initial authentication between the authenticated client and its local KDC (Key Distribution Center). The purpose of PKINIT is to secure the transmission of ticket
…show more content…
Mutual authentication between local KDC and remote KDC involves the PKCROSS ticket. If combined with PKINIT, the operation would continue from the part where the client receives the session key and TGT for TGS. The client will request for a cross-realm TGT from the local TGS by sending the local TGS its TGT, authenticator for the client and also the ID of the remote TGS. After verifying the authenticity of the request by comparing the information of the decrypted authenticator and TGT, the TGS will proceed to request for the cross-realm TGT and also the session key for communication between the client and the remote TGS. These operations are similar to PKINIT with the local TGS acting as the client. Upon receiving the cross-realm TGT and session key, local TGS will encrypt these two information using the session key for communication between local TGS and the client before sending it to the client. The rest of the operation is similar to the traditional …show more content…
PKTAPP enable the authentication exchange to be directly performed between the client and the application server (APPSERV) instead of relying on trusted intermediary. The client started by requesting a certificate from the application server. Upon verification, the client will request for a service ticket to the application server by sending its signature, session key and also the certificate that are encrypted using the application server public key. After that, the server returns the service ticket together with a new session key for the ticket that is encrypted using the client-generated session key. After that, the ticket can be used to request for specific service from the application server using the traditional Kerberos
Mutual authentication between local KDC and remote KDC involves the PKCROSS ticket. If combined with PKINIT, the operation would continue from the part where the client receives the session key and TGT for TGS. The client will request for a cross-realm TGT from the local TGS by sending the local TGS its TGT, authenticator for the client and also the ID of the remote TGS. After verifying the authenticity of the request by comparing the information of the decrypted authenticator and TGT, the TGS will proceed to request for the cross-realm TGT and also the session key for communication between the client and the remote TGS. These operations are similar to PKINIT with the local TGS acting as the client. Upon receiving the cross-realm TGT and session key, local TGS will encrypt these two information using the session key for communication between local TGS and the client before sending it to the client. The rest of the operation is similar to the traditional …show more content…
PKTAPP enable the authentication exchange to be directly performed between the client and the application server (APPSERV) instead of relying on trusted intermediary. The client started by requesting a certificate from the application server. Upon verification, the client will request for a service ticket to the application server by sending its signature, session key and also the certificate that are encrypted using the application server public key. After that, the server returns the service ticket together with a new session key for the ticket that is encrypted using the client-generated session key. After that, the ticket can be used to request for specific service from the application server using the traditional Kerberos