Yaksha: augmenting Kerberos with public key cryptography

The Kerberos authentication system is based on the trusted third-party Needham-Schroeder (1978) authentication protocol. The system is one of the few industry standards for authentication systems and its use is becoming fairly widespread. The system has some limitations, many of which are traceable to the decision of the Kerberos designers to solely use symmetric key cryptosystems. Using asymmetric (public-key) cryptosystems in an authentication protocol would prevent some of the shortcomings. Several such protocols have been proposed and some have been implemented. However, all these designs are either completely different from the Kerberos system, or require major changes to the basic system. Any attempts to improve Kerberos would do so with only minimal impact to the protocol and the source tree. In this work, we describe Yaksha, a new approach to achieving these goals. Yaksha uses as its building block an RSA (Rivest, Shamir & Adelman, 1978) algorithm variant independently invented by Boyd (1989) and by Ganesan and Yacobi (1994), in which the RSA private key is split into two portions. One portion becomes a user´s Yaksha password, and the other the Yaksha server´s password for that user. Using this simple but useful primitive, we show how we can blend the Kerberos system with a public-key infrastructure to create Yaksha, a more secure version of Kerberos, with minimal changes to the protocol