Problem Statement on the Cross-Realm Operation of Kerberos

Sakane, Shoichi; Ishiyama, Masahiro; Zrelli, Saber

doi:10.17487/rfc5868

Cited by 9 publications

(6 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, it would have been possible to provide identity federation to OpenStack following the standard Kerberos crossrealm model. However, the deployment of Kerberos cross-realm infrastructures has been scarce, due to some recognized issues [RFC5868]. Thus, the usage of Kerberos has been limited to controlling the access of local users registered in the service s domain Recently some alternatives, such as FedKERB [FEDKRB], PanaKERB [PANAKRB] and EduKERB [EDUKRB], have been proposed to obtain the benefits of Kerberos without deploying an alternative cross-realm infrastructure, by using a more common and widely used federation substrate: the AAA-based federation.…”

Section: Related Workmentioning

confidence: 99%

“…Therefore, it would have been possible to provide identity federation to OpenStack following the standard Kerberos cross‐realm model. However, the deployment of Kerberos cross‐realm infrastructures has been scarce, due to some recognized issues . Thus, the usage of Kerberos has been limited to controlling the access of local users registered in the service's domain.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Integrating an AAA‐based federation mechanism for OpenStack—The CLASSe view

Méndez

Millán

López

et al. 2017

Concurrency and Computation

View full text Add to dashboard Cite

Identity federations enable users, service providers and identity providers from different organizations to exchange authentication and authorization information in a secure way. In this paper we present a novel identity federation architecture for cloud services based on the integration of a cloud identity management service with an Authentication, Authorization and Accounting (AAA) infrastructure. Specifically we analyse how this type of AAA-based federation can be smoothly integrated into OpenStack, the leading open source cloud software solution, using the IETF Application Bridging for Federated Access Beyond web (ABFAB) specification for authentication and authorization. We provide details of the implementation undertaken in GÉANT s CLASSe project, and show its validation in a real testbed.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Integrating an AAA‐based federation mechanism for OpenStack—The CLASSe view

Méndez

Millán

López

et al. 2017

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…The applicability of Kerberos cross-realm operations in such domains present some issues. We previously outlined these issues with the IETF Kerberos working group [7]. This section provides an overview of the issues in Kerberos cross-realm operations that the XKDCP protocol aims to solve.…”

Section: Issues In Kerberos Cross-realm Operationsmentioning

confidence: 99%

“…The dependability issues of Kerberos lies in its crossrealm operations. The cross-realm authentication capabilities in Kerberos, which allow an administrative domain (called Kerberos realm) to authenticate entities that belong to other administrative domains, suffer from scalability and security issues as we stated in a previous work [7]. The objective of this paper is to outline the shortcomings of the Kerberos cross-realm authentication model and propose a new protocol that solves these issues.…”

Section: Introductionmentioning

confidence: 95%

XKDCP: An Inter-KDC Protocol for Dependable Kerberos Cross-Realm Operations

Zrelli¹,

Okabe²,

Shinoda³

2013

JNW

View full text Add to dashboard Cite

The wide popularity of Kerberos made it the de-facto standard for authentication in enterprise networks
Moreover, the lightweight nature of Kerberos makes it a candidate of choice for securing network communications in emerging non-enterprise information systems such as industrial control networks, building automation and intelligent transportation systems. Many of these potential applications of Kerberos involve infrastructures characterized by their large scale and strict dependability requirements. However, such requirements may not be met when crossrealm Kerberos operations are involved. In this paper, we outline the issues with the current Kerberos crossrealm model and present XKDCP (Inter Key Distribution Center Protocol), a new Kerberos cross-realm authentication model that improves on scalability and dependability by (1) relying on public key cryptography to dynamically maintain direct trust relationships between Kerberos realms and (2) adopting a proxy model to offload inter-domain exchanges and processing from the low-end devices to the Kerberos authentication servers

show abstract

“…It should be noted that the cross-realm authentication mode can become unreliable and may introduce delays if the number of intermediary KDCs increases. Currently, the Kerberos cross-realm authentication model is under investigation within the IETF [17] and there exist some proposals [18], [19] for using public key cryptography to enable dynamically establish direct trust relationships between Kerberos KDCs.…”

Section: Full Eap-kerberos Authentication In a Visited Access Networkmentioning

confidence: 99%

EAP-Kerberos: A Low Latency EAP Authentication Method for Faster Handoffs in Wireless Access Networks

Zrelli

Okabe

Shinoda

2012

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYThe wireless medium is a key technology for enabling ubiquitous and continuous network connectivity. It is becoming more and more important in our daily life especially with the increasing adoption of networking technologies in many fields such as medical care and transportation systems. Although most wireless technologies nowadays provide satisfying bandwidth and higher speeds, several of these technologies still lack improvements with regard to handoff performance. In this paper, we focus on wireless network technologies that rely on the Extensible Authentication Protocol for mutual authentication between the station and the access network. Such technologies include local area wireless networks (IEEE 802.11) as well as broadband wireless networks (IEEE 802.16). We present a new EAP authentication method based on a three party authentication scheme, namely Kerberos, that considerably shortens handoff delays. Compared to other methods, the proposed method has the advantage of not requiring any changes on the access points, making it readily deployable at reasonable costs.

show abstract

Problem Statement on the Cross-Realm Operation of Kerberos

Abstract: This document provides background information regarding large-scale Kerberos deployments in the industrial sector, with the aim of identifying issues in the current Kerberos cross-realm authentication model as defined in RFC 4120.

Cited by 9 publications

References 1 publication

Integrating an AAA‐based federation mechanism for OpenStack—The CLASSe view

Integrating an AAA‐based federation mechanism for OpenStack—The CLASSe view

XKDCP: An Inter-KDC Protocol for Dependable Kerberos Cross-Realm Operations

EAP-Kerberos: A Low Latency EAP Authentication Method for Faster Handoffs in Wireless Access Networks

Contact Info

Product

Resources

About