XKDCP: An Inter-KDC Protocol for Dependable Kerberos Cross-Realm Operations

The wide popularity of Kerberos made it the de-facto standard for authentication in enterprise networks. Moreover, the lightweight nature of Kerberos makes it a candidate of choice for securing network communications in emerging non-enterprise information systems such as industrial control networks, building automation and intelligent transportation systems. Many of these potential applications of Kerberos involve infrastructures characterized by their large scale and strict dependability requirements. However, such requirements may not be met when crossrealm Kerberos operations are involved. In this paper, we outline the issues with the current Kerberos crossrealm model and present XKDCP (Inter Key Distribution Center Protocol), a new Kerberos cross-realm authentication model that improves on scalability and dependability by (1) relying on public key cryptography to dynamically maintain direct trust relationships between Kerberos realms and (2) adopting a proxy model to offload inter-domain exchanges and processing from the low-end devices to the Kerberos authentication servers.