"Kerberos Principal Name Canonicalization and KDC-Generated Cross-Realm Referrals", Kenneth Raeburn, Larry Zhu, 14-Jul-08. ( bytes)

The memo documents a method for a Kerberos Key Distribution Center (KDC) to respond to client requests for Kerberos tickets when the client does not have detailed configuration information on the realms of users or services. The KDC will handle requests for principals in other realms by returning either a referral error or a cross-realm TGT to another realm on the referral path. The clients will use this referral information to reach the realm of the target principal and then receive the ticket.

"Kerberos Set/Change Key/Password Protocol Version 2", Nicolas Williams, 3-Nov-08. ( bytes)

This document specifies an extensible protocol for setting keys and changing the passwords of Kerberos V principals.

"A Generalized Framework for Kerberos Pre-Authentication", Larry Zhu, Sam Hartman, 13-Jul-08. ( bytes)

Kerberos is a protocol for verifying the identity of principals (e.g., a workstation user or a network server) on an open network. The Kerberos protocol provides a mechanism called pre-authentication for proving the identity of a principal and for better protecting the long-term secret of the principal. This document describes a model for Kerberos pre-authentication mechanisms. The model describes what state in the Kerberos request a pre-authentication mechanism is likely to change. It also describes how multiple pre-authentication mechanisms used in the same request will interact. This document also provides common tools needed by multiple pre- authentication mechanisms. One of these tools is a secure channel between the client and the KDC with a reply key delivery mechanism; this secure channel can be used to protect the authentication exchange thus eliminate offline dictionary attacks. With these tools, it is relatively straightforward to chain multiple authentication mechanisms, utilize a different key management system, or support a new key agreement algorithm.

"Anonymity Support for Kerberos", Larry Zhu, Paul Leach, 10-Oct-08. ( bytes)

This document defines extensions to the Kerberos protocol to allow a Kerberos client to securely communicate with a Kerberos application service without revealing its identity, or without revealing more than its Kerberos realm. It also defines extensions which allow a Kerberos client to obtain anonymous credentials without revealing its identity to the Kerberos Key Distribution Center (KDC). This document updates RFC 4120, RFC 4121, and RFC 4556.

"Additional Kerberos Naming Constraints", Larry Zhu, 12-Aug-08. ( bytes)

This document defines new naming constraints for well-known Kerberos principal name and well-known Kerberos realm names.

"PK-INIT algorithm agility", Love Astrand, Larry Zhu, 5-Aug-08. ( bytes)

The PK-INIT defined in RFC 4556 is examined and updated to remove protocol structures tied to specific cryptographic algorithms. The affinity to SHA-1 as the checksum algorithm in the authentication request is analyzed. The PK-INIT key derivation function is made negotiable, the digest algorithms for signing the pre-authentication data and the client's X.509 certificates are made discoverable. These changes provide protection preemptively against vulnerabilities discovered in the future against any specific cryptographic algorithm, and allow incremental deployment of newer algorithms.

"Kerberos Version 5 GSS-API Channel Binding Hash Agility", Shawn Emery, 3-Nov-08. ( bytes)

Currently, channel bindings are implemented using a MD5 hash in the Kerberos Version 5 Generic Security Services Application Programming Interface (GSS-API) mechanism [RFC4121]. This document updates RFC4121 to allow channel bindings using algorithms negotiated based on Kerberos crypto framework as defined in RFC3961. In addition, because this update makes use of the last extensible field in the Kerberos client-server exchange message, extensions are defined to allow future protocol extensions.

"Problem statement on the cross-realm operation of Kerberos", Shoichi Sakane, 30-Oct-08. ( bytes)

There are some issues when the cross-realm operation of the Kerberos Version 5 [RFC4120] is employed into actual specific systems. This document describes some examples of actual systems, and lists requirements and restriction of the operation in such system. Then it describes issues when we apply the cross-realm operation to such system.

"OTP Pre-authentication", Gareth Richards, 15-Sep-08. ( bytes)

The Kerberos protocol provides a framework authenticating a client using the exchange of pre-authentication data. This document describes the use of this framework to carry out One Time Password (OTP) authentication.

"Initial and Pass Through Authentication Using Kerberos V5 and the GSS- API (IAKERB)", Larry Zhu, Jeffrey Altman, 3-Nov-08. ( bytes)

This document defines extensions to the Kerberos protocol and the GSS-API Kerberos mechanism that enable a GSS-API Kerberos client to exchange messages with the KDC using the GSS-API acceptor as the proxy, by encapsulating the Kerberos messages inside GSS-API tokens. With these extensions a client can obtain Kerberos tickets for services where the KDC is not accessible to the client, but is accessible to the application server.

"An information model for Kerberos version 5", Leif Johansson, 2-Nov-08. ( bytes)

This document describes an information model for Kerberos version 5 from the point of view of an administrative service. There is no standard for administrating a kerberos 5 KDC. This document describes the services exposed by an administrative interface to a KDC.

Return to Internet-Draft directory.

Return to IETF home page.