Extensible Pre-Authentication Kerberos

Phillip Hellewell
Brigham Young University
USA

Tim van der Horst
Brigham Young University
USA

Kent Seamons
Brigham Young University
USA

Many organizations need to provide services to more people, including strangers outside the local security domain. As the number of users grows larger, it becomes increasingly tedious to maintain and provision user accounts. It remains an open problem to create a system for provisioning outsiders that is secure, flexible, efficient, scalable, and easy to manage.

Kerberos is a secure, industry-standard protocol. Currently, Kerberos operates as a closed system; all users must be specified upfront and managed on an individual basis. This paper presents EPAK (Extensible Pre-Authentication in Kerberos), a framework that enables Kerberos to operate as an open system. Implemented as a Kerberos extension, EPAK enables many authentication schemes to be loosely coupled with Kerberos, without further modification to Kerberos. EPAK provides the mutual benefits of enhancing the flexibility of Kerberos and increasing the viability of alternate authentication systems as they move to the enterprise.

Keywords: Kerberos, authentication, SAW, trust negotiation, open systems

Read Paper Read Paper (in PDF)