"Kerberos Principal Name Canonicalization and KDC-Generated Cross-Realm Referrals", Kenneth Raeburn, Larry Zhu, 14-Jul-08. ( bytes)

The memo documents a method for a Kerberos Key Distribution Center (KDC) to respond to client requests for Kerberos tickets when the client does not have detailed configuration information on the realms of users or services. The KDC will handle requests for principals in other realms by returning either a referral error or a cross-realm TGT to another realm on the referral path. The clients will use this referral information to reach the realm of the target principal and then receive the ticket.

"A Generalized Framework for Kerberos Pre-Authentication", Larry Zhu, Sam Hartman, 13-Jul-08. ( bytes)

Kerberos is a protocol for verifying the identity of principals (e.g., a workstation user or a network server) on an open network. The Kerberos protocol provides a mechanism called pre-authentication for proving the identity of a principal and for better protecting the long-term secret of the principal. This document describes a model for Kerberos pre-authentication mechanisms. The model describes what state in the Kerberos request a pre-authentication mechanism is likely to change. It also describes how multiple pre-authentication mechanisms used in the same request will interact. This document also provides common tools needed by multiple pre- authentication mechanisms. One of these tools is a secure channel between the client and the KDC with a reply key delivery mechanism; this secure channel can be used to protect the authentication exchange thus eliminate offline dictionary attacks. With these tools, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm.

"Anonymity Support for Kerberos", Larry Zhu, Paul Leach, 10-Oct-08. ( bytes)

This document defines extensions to the Kerberos protocol to allow a Kerberos client to securely communicate with a Kerberos application service without revealing its identity, or without revealing more than its Kerberos realm. It also defines extensions which allow a Kerberos client to obtain anonymous credentials without revealing its identity to the Kerberos Key Distribution Center (KDC). This document updates RFC 4120, RFC 4121, and RFC 4556.

"Additional Kerberos Naming Constraints", Larry Zhu, 12-Aug-08. ( bytes)

This document defines new naming constraints for well-known Kerberos principal name and well-known Kerberos realm names.

"PK-INIT algorithm agility", Love Astrand, Larry Zhu, 5-Aug-08. ( bytes)

The PK-INIT defined in RFC 4556 is examined and updated to remove protocol structures tied to specific cryptographic algorithms. The affinity to SHA-1 as the checksum algorithm in the authentication request is analyzed. The PK-INIT key derivation function is made negotiable, the digest algorithms for signing the pre-authentication data and the client's X.509 certificates are made discoverable. These changes provide protection preemptively against vulnerabilities discovered in the future against any specific cryptographic algorithm, and allow incremental deployment of newer algorithms.

"Kerberos Version 5 GSS-API Channel Binding Hash Agility", Shawn Emery, 14-Jul-08. ( bytes)

Currently, channel bindings are implemented using a MD5 hash in the Kerberos Version 5 Generic Security Services Application Programming Interface (GSS-API) mechanism [RFC4121]. This document updates RFC4121 to allow the channel binding restriction to be lifted using algorithms negotiated based on Kerberos crypto framework as defined in RFC3961. In addition, because this update makes use of the last extensible field in the Kerberos client-server exchange message, extensions are defined to allow future protocol extensions.

"OTP Pre-authentication", Gareth Richards, 15-Sep-08. ( bytes)

The Kerberos protocol provides a framework authenticating a client using the exchange of pre-authentication data. This document describes the use of this framework to carry out One Time Password (OTP) authentication.

"An information model for Kerberos version 5", Leif Johansson, 10-Jul-08. ( bytes)

This document describes an information model for Kerberos version 5 from the point of view of an administrative service. There is no standard for administrating a kerberos 5 KDC. This document describes the services exposed by an administrative interface to a KDC.

Return to Internet-Draft directory.

Return to IETF home page.