Technical Summary
Kerberos is a protocol for verifying the identity of principals
(e.g., a workstation user or a network server) on an open network.
The Kerberos protocol provides a mechanism called pre-authentication
for proving the identity of a principal and for better protecting the
long-term secrets of the principal.
This document describes a model for Kerberos pre-authentication
mechanisms. The model describes what state in the Kerberos request a
pre-authentication mechanism is likely to change. It also describes
how multiple pre-authentication mechanisms used in the same request
will interact.
This document also provides common tools needed by multiple pre-
authentication mechanisms. One of these tools is a secure channel
between the client and the KDC with a reply key strengthening
mechanism; this secure channel can be used to protect the
authentication exchange thus eliminate offline dictionary attacks.
With these tools, it is relatively straightforward to chain multiple
authentication mechanisms, utilize a different key management system,
or support a new key agreement algorithm.
Working Group Summary
This document represents the consensus of the Kerberos Working Group.
Document Quality
Multiple vendors have indicated that they plan to implement and ship
the extensions described in this document or have already begun to
do so.
Personnel
The Document Shepherd for this document is Jeffrey Hutzelman.
The responsible Area Director is Tim Polk.