Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Freshness Extension
نویسندگان
چکیده
This document describes how to further extend the Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) extension [RFC4556] to exchange an opaque data blob which a KDC can validate to ensure that the client is currently in possession of the private key during a PKInit AS exchange.
منابع مشابه
Refining Computationally Sound Mechanized Proofs for Kerberos
Kerberos is designed to allow a user to repeatedly authenticate herself to multiple servers based on a single login. The PKINIT extension to Kerberos modifies the initial round of the protocol to use a PKI instead of long-term shared keys (e.g., password-derived keys). Especially with PKINIT, Kerberos uses a rich collection of cryptographic operations and constructs, and Kerberos, both with and...
متن کاملA Survey of Kerberos V and Public-Key Kerberos Security
Kerberos was initially developed at MIT as a part of Project Athena and in these days it is widely deployed single sign-on protocol that is developed to authenticate clients to multiple networked services. Furthermore, Cross-realm authentication is a useful and interesting component of Kerberos aimed at enabling secure access to services astride organizational boundaries. Also, Kerberos has con...
متن کاملBreaking and Fixing Public-Key Kerberos
We report on a man-in-the-middle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and end-servers to a client, hence breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDC would normally generate to encrypt the s...
متن کاملRFC 5349 ECC Support for PKINIT September
Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Abstract This document describes the use of Elliptic Curve certificates, Elliptic Curve signature schemes and Elliptic Curve Diffie-Hellman (ECDH) key agreement within the framework of PKINIT-the Kerberos Version 5 extension...
متن کاملComputationally Sound Mechanized Proof of PKINIT for Kerberos
Here we report initial results on the formalization and analysis, using the CryptoVerif tool [4, 5, 6], of the public-key extension to the Kerberos protocol, PKINIT [10]. This protocol provides a good test case for analysis techniques because it incorporates many different protocol design elements: symmetric and asymmetric encryption, digital signatures, and keyed hash functions. We are able to...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- RFC
دوره 8070 شماره
صفحات -
تاریخ انتشار 2006