Extensible Pre-Authentication in Kerberos
Source: Brigham Young University
Kerberos is a well-established authentication system. As new authentication methods arise, incorporating them into Kerberos is desirable. However, extending Kerberos poses challenges due to a lack of source code availability for some implementations and a lengthy standardization process. Kerberos allows a user to authenticate once and then connect to application servers within the Kerberos realm without authenticating again for a period of time. Kerberos is time-tested and widely used. Version 5 was standardized over a decade ago, and is used in business, government, military, and educational institutions. Adopting new authentication methods to replace Kerberos is prohibitive because access control systems and applications are often built up around the Kerberos infrastructure. Extending Kerberos provides an attractive solution that allows systems like Active Directory to remain intact. However, adding extensions poses challenges due to lack of source code availability for some implementations and a lengthy standardization process. A Kerberos extension enables many authentication methods to be loosely coupled with Kerberos, without further modification to Kerberos. Two authentication methods for open systems have been integrated into Kerberos using EPAK to demonstrate the power and flexibility of the framework design. Pre-authentication, introduced in Kerberos version 5, allows a client to prove its authenticity before being issued a TGT. A pre-authentication data field in the AS request proves the client's authenticity.