Kerberos Research

The goal of this page is to collect links and some comments on Kerberos Research papers I've found on the net. It was created because I could not find a similar page.

• Standard
• Papers about Security of Kerberos
• Whitepapers etc
• Documents of historical interest

Since the creation of this page, I have found some similar pages, including the following:

• USC/ISI GOST group hosts a web site on Kerberos.
• MIT hosts a Kerberos page.

For a general introduction and other information, see the comp.protocols.kerberos FAQ.

Suggestions for improvement of this page are welcome, contact me.

The Internet Engineering Task Force hosts two working groups related to Kerberos standardization, the Kerberos WG and the Kerberized Internet Negotiation of Keys (KINK). The following Request For Comments has been published:

• RFC 1510, The Kerberos Network Authentication Service (V5). J. Kohl, C. Neuman. September 1993. (Format: TXT=275395 bytes) (Status: PROPOSED STANDARD)

• RFC 1964 The Kerberos Version 5 GSS-API Mechanism. J. Linn. June 1996. (Format: TXT=47413 bytes) (Status: PROPOSED STANDARD)

• RFC 2712 Addition of Kerberos Cipher Suites to Transport Layer Security (TLS). A. Medvinsky, M. Hur. October 1999. (Format: TXT=13763 bytes) (Status: PROPOSED STANDARD)

• RFC 2942 Telnet Authentication: Kerberos Version 5. T. Ts'o. September 2000. (Format: TXT=14562 bytes) (Status: PROPOSED STANDARD)

• RFC 3244 Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols. M. Swift, J. Trostle, J. Brezak. February 2002. (Format: TXT=13334 bytes) (Status: INFORMATIONAL)

• RFC 3961 Encryption and Checksum Specifications for Kerberos 5. K. Raeburn. February 2005. (Format: TXT=111865 bytes) (Status: PROPOSED STANDARD)

• RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5. K. Raeburn. February 2005. (Format: TXT=32844 bytes) (Status: PROPOSED STANDARD)

• RFC 4120 The Kerberos Network Authentication Service (V5). C. Neuman, T. Yu, S. Hartman, K. Raeburn. July 2005. (Format: TXT=340314 bytes) (Obsoletes RFC1510) (Status: PROPOSED STANDARD)

• RFC 4121 The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2. L. Zhu, K. Jaganathan, S. Hartman. July 2005. (Format: TXT=340314 bytes) (Updates RFC1964) (Status: PROPOSED STANDARD)

• S. M. Bellovin and M. Merritt. Limitations of the Kerberos Authentication System. In Proceedings of the Winter 1991 Usenix Conference. January 1991. postscript

• B. Clifford Neuman and Stuart G. Stubblebine. A Note on the Use of Timestamps as Nonces. Operating Systems Review, 27(2):10-14, April 1993. (unrefereed) compressed postscript

• T. Wu, "A Real-World Analysis of Kerberos Password Security", in Proceedings of the 1999 Internet Society Network and Distributed System Security Symposium, San Diego, CA, Feb 1999. Pdf. presentation.

• K. Hildrum (UC Berkeley, UNITED STATES), Security of Encrypted rlogin Connections Created With Kerberos IV [Paper], [Overview], NDSS 2000.

• S. Josefsson. On Active Attacks to Kerberos Telnet, August 2001, unpublished.

• A formal analysis of some properties of Kerberos 5 using MSR, F. Butler, I. Cervesato, A. Jaggard, A. Scedrov. In: S. Schneider, ed., "15-th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia, Canada, June, 2002", IEEE Computer Society Press, 2002, pp. 175-190.

• Bill Bryant. Designing an Authentication System: a Dialogue in Four Scenes. 1988. Afterword by Theodore Ts'o, 1997. html

• Brian Tung. The Moron's Guide to Kerberos. html

• Cisco offers a Kerberos Whitepaper.

• Fulvio Ricciardi. The Kerberos protocol and its implementations. html

• J. G. Steiner, B. Clifford Neuman, and J.I. Schiller. Kerberos: An Authentication Service for Open Network Systems. In Proceedings of the Winter 1988 Usenix Conference. February, 1988. (Version 4) text , postscript

• B. Clifford Neuman and Jennifer G. Steiner. Authentication of Unknown Entities on an Insecure Network of Untrusted Workstations. In Proceedings of the Usenix Workshop on Workstation Security, Portland, OR. August, 1988. postscript

• S.P. Miller, B. C. Neuman, J. I. Schiller, and J.H. Saltzer. Section E.2.1: Kerberos Authentication and Authorization System. Project Athena Technical Plan, MIT Project Athena, Cambridge, Massachusetts, October 1988. (Version 4) text , postscript

• B. Clifford Neuman. Protection and Security Issues for Future Systems. In Proceedings of the Workshop on Operating Systems of the 90s and Beyond. Dagstuhl Castle, Germany. July 1991. compressed postscript

• B. Clifford Neuman and Theodore Ts'o. Kerberos: An Authentication Service for Computer Networks, IEEE Communications, 32(9):33-38. September 1994. html

• John T. Kohl, B. Clifford Neuman, and Theodore Y. T'so, The Evolution of the Kerberos Authentication System. In Distributed Open Systems, pages 78-94. IEEE Computer Society Press, 1994. text , postscript

• Uri Blumenthal, Steven M. Bellovin, A Better Key Schedule for DES-like Ciphers. In Proceedings of Pragocrypt'96, ISBN 80-01-01502-5. The RFC1510bis simplified key derivation is based on this paper.