Adding Perfect Forward Secrecy To Kerberos

Abstract

Kerberos system is a powerful and widely implemented authentication system. Despite this fact it has several problems such as the vulnerability to dictionary attacks which is solved with the use of public key cryptography. Also an important security feature that is not found in Kerberos is perfect forward secrecy. In this work the lack of this feature is investigated in Kerberos in its original version. Also a public key based modification to Kerberos is presented and it is shown that it lacks the prefect forward secrecy too. Then some extensions are proposed to achieve this feature. The extensions are based on public key concepts (Diffie-Hellman) with the condition of keeping the password based authentication; this requires little modifications to the original Kerberos. Four extensions are proposed; two of them modify the (Client-Authentication Server) exchange achieving conditional perfect forward secrecy, while the remaining two modify the Client-Server exchange achieving perfect forward secrecy but with increased overhead and delay.