article

Providing EAP-based Kerberos pre-authentication and advanced authorization for network federations

Authors:

Rafael Marín-López,

Fernando Pereñíguez,

Gabriel López,

Alejandro Pérez-MéndezAuthors Info & Claims

Computer Standards & Interfaces, Volume 33, Issue 5

Pages 494 - 504

https://doi.org/10.1016/j.csi.2011.02.005

Published: 01 September 2011 Publication History

Abstract

Kerberos is a well-known standard protocol which is becoming one of the most widely deployed for authentication and key distribution in application services. However, whereas service providers use the protocol to control their own subscribers, they do not widely deploy Kerberos infrastructures to handle subscribers coming from foreign domains, as happens in network federations. Instead, the deployment of Authentication, Authorization and Accounting (AAA) infrastructures has been preferred for that operation. Thus, the lack of a correct integration between these infrastructures and Kerberos limits the service access only to service provider's subscribers. To avoid this limitation, we design an architecture which integrates a Kerberos pre-authentication mechanism, based on the use of the Extensible Authentication Protocol (EAP), and advanced authorization, based on the standards SAML and XACML, to link the end user authentication and authorization performed through an AAA infrastructure with the delivery of Kerberos tickets in the service provider's domain. We detail the interfaces, protocols, operation and extensions required for our solution. Moreover, we discuss important aspects such as the implications on existing standards.

References

[1]

http://www.kerberos.org

[2]

Aboba, B., Simon, D. and Eronen, P., . August 2008.

[3]

Wierenga, K., DJ5.1.4: Inter-NREN Roaming Architecture.Description and Development Items. September 2006.

[4]

Howlett, J. and Hartman, S., . February 2010.

[5]

Neuman, C., Yu, T., Hartman, S. and Raeburn, K., . July 2005.

[6]

Linn, J., . January 2000.

[7]

Zhu, L., Jaganathan, K. and Hartman, S., . July 2005.

[8]

Hartman, S. and Howlett, J., A GSS-API mechanism for the Extensible Authentication Protocol. February 2011.

[9]

Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and Levkowetz, H., . June 2004.

[10]

Rigney, C., Willens, S., Rubens, A. and Simpson, W., . June 2000.

[11]

Calhoun, P. and Loughney, J., . Sept. 2003.

[12]

Dantu, R., Clothier, G. and Atri, A., EAP Methods for Wireless Networks. Computer Standards Interfaces. v29 i3. 289-301.

[13]

. In: Cantor, S., Kemp, J., Philpott, R., Maler, E. (Eds.), Assertions and protocols for the OASIS security assertion markup language (SAML) v2.0,

[14]

Määttänen, T., . November 2002.

[15]

. March 2005.

[16]

. March 2005.

[17]

. February 2005.

[18]

http://shibboleth.internet2.edu

[19]

. In: Hodges, J., Wason, T. (Eds.), Liberty Architecture Overview. Version 1.1,

[20]

. In: Cantor, S., Moreh, J., Philpott, R., Maler, E. (Eds.), Metadata for the OASIS Security Assertion Markup Language (SAML) v2.0,

[21]

Lopez, D.R., . In: Deliverable DJ5.2.2,2: GíANT2 Authorisation and Authentication Infrastructure (AAI) Architecture,

[22]

Raeburn, K., . Feb. 2005.

[23]

http://dame.inf.um.es

[24]

Vollbrecht, J., Eronen, P., Petroni, N. and Ohba, Y., . Aug. 2005.

[25]

Hartman, S. and Zhu, L., A Generalized Framework for Kerberos Pre-Authentication. June 2010.

[26]

Housley, R. and Aboba, B., Guidance for Authentication, Authorization, and Accounting (AAA) key management. July 2007.

[27]

Howlett, J. and Hartman, S., A RADIUS attribute for SAML constructsl. March 2011.

[28]

. November 2004.

[29]

Tschofenig, H. and Sankhla, V., Bootstrapping Kerberos. July 2004.

[30]

Zhu, L. and Tung, B., Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). June 2006.

[31]

Hellwell, P.L., van der Horst, T.W. and Seamons, K.E., Extensible pre-authentication in Kerberos. In: Proc. of the Twenty-Third Annual Conference on Computer Security Applications, 2007, Miami Beach, FL,

[32]

Richards, G., OTP pre-authentication. March 2011.

[33]

Hodges, J., Howlett, J., Johansson, L. and Morgan, R.L., . December 2008.

[34]

Howlett, J. and Hardjono, T., . December 2009.

[35]

Howlett, J. and Hardjono, T., . December 2009.

[36]

Klingenstein, N., Scavo, T., Howlett, J. and Hardjono, T., . October 2009.

Cited By

Pérez Méndez AMarín López RLópez Millán G(2018)Providing efficient SSO to cloud service access in AAA-based identity federationsFuture Generation Computer Systems10.1016/j.future.2015.12.00258:C(13-28)Online publication date: 30-Dec-2018
https://dl.acm.org/doi/10.1016/j.future.2015.12.002
Pérez-Méndez APereñíguez-García FMarín-López RLópez-Millán G(2018)A cross-layer SSO solution for federating access to kerberized services in the eduroam/DAMe networkInternational Journal of Information Security10.1007/s10207-012-0174-511:6(365-388)Online publication date: 24-Dec-2018
https://dl.acm.org/doi/10.1007/s10207-012-0174-5
Mahshid MEslamipoor R(2018)An optimized authentication protocol for mobile networksNeural Computing and Applications10.1007/s00521-013-1496-625:2(379-385)Online publication date: 27-Dec-2018
https://dl.acm.org/doi/10.1007/s00521-013-1496-6

Providing EAP-based Kerberos pre-authentication and advanced authorization for network federations
1. Security and privacy
  1. Security services

Recommendations

USIM-based EAP-TLS authentication protocol for wireless local area networks

Due to the rapid growth in popularity of Wireless Local Area Network (WLAN), wireless security has become one of many important research issues. For the WLAN security, the IEEE 802.1X standard provides an authentication framework that is based on the ...
A network access control approach based on the AAA architecture and authorization attributes

Network access control mechanisms constitute an increasingly needed service, when communications are becoming more and more ubiquitous thanks to some technologies such as wireless networks or Mobile IP. This paper presents a particular scenario where ...
Public-Key Cryptography Enabled Kerberos Authentication
DESE '11: Proceedings of the 2011 Developments in E-systems Engineering

Kerberos is a trusted third party authentication protocol based on symmetric key cryptography. This paper studies how Kerberos authentication standard can be extended to support public key cryptography. The paper aims to do this by implementing the most ...

Comments

Information & Contributors

Information

Published In

cover image Computer Standards & Interfaces

Computer Standards & Interfaces Volume 33, Issue 5

September, 2011

81 pages

ISSN:0920-5489

Issue’s Table of Contents

Copyright © Elsevier B.V. © 2011.

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 01 September 2011

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pérez Méndez AMarín López RLópez Millán G(2018)Providing efficient SSO to cloud service access in AAA-based identity federationsFuture Generation Computer Systems10.1016/j.future.2015.12.00258:C(13-28)Online publication date: 30-Dec-2018
https://dl.acm.org/doi/10.1016/j.future.2015.12.002
Pérez-Méndez APereñíguez-García FMarín-López RLópez-Millán G(2018)A cross-layer SSO solution for federating access to kerberized services in the eduroam/DAMe networkInternational Journal of Information Security10.1007/s10207-012-0174-511:6(365-388)Online publication date: 24-Dec-2018
https://dl.acm.org/doi/10.1007/s10207-012-0174-5
Mahshid MEslamipoor R(2018)An optimized authentication protocol for mobile networksNeural Computing and Applications10.1007/s00521-013-1496-625:2(379-385)Online publication date: 27-Dec-2018
https://dl.acm.org/doi/10.1007/s00521-013-1496-6

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents