A Generalized Framework for Kerberos Pre-Authentication

A Generalized Framework for Kerberos Pre-Authentication draft-ietf-krb-wg-preauth-framework-04 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." Abstract Kerberos is a protocol for verifying the identity of principals (e.g., a workstation user or a network server) on an open network. The Kerberos protocol provides a mechanism called pre-authentication for proving the identity of a principal and for better protecting the long-term secret of the principal. mechanisms. The model describes what state in the Kerberos request a pre-authentication mechanism is likely to change. It also describes how multiple pre-authentication mechanisms used in the same request will interact. This document also provides common tools needed by multiple pre-authentication mechanisms. One of such tools is a secure channel between the client and the KDC with a reply key delivery mechanism, this secure channel can be used to protect the authentication exchange thus eliminate offline dictionary attacks. With these tools, it is straightforward to chain multiple authentication factors or add a plugin to, for example, utilize a different key management system, or support a new key agreement algorithm.