Public-key cryptography extensions into Kerberos

How can and why should the Kerberos authentication standard (RFC1510) be extended to support public-key cryptography? These are the questions that we explore in this article. Integrating public-key cryptography (PKC) within Kerberos shares the leading edge of proposed enhancements to the traditional Kerberos standard with initiatives like IPv6 support and hardware authentication via smart-cards. The benefits of PKC will improve scalability and security throughout the Kerberos framework. Although this enhancement has not yet completed the Internet Standards Process (RFC 2026), it has already been adopted by some companies in their products. We begin with overviews of PKC, and then discuss what improvements PKC can offer to Kerberos. After summarizing three different protocols for public-key enhanced Kerberos, we explain the performance penalties associated with PKC and reference qualitative results from other research which compares the response-time performance of the two fundamental approaches we describe for public-key based authentication. Finally, we look at some of the security issues associated with including public-key support in the traditional Kerberos framework.