A method to Implement the Kerberos User Authentication and the secured Internet Service

Kerberos is a network authentication protocol created by MIT, and uses symmetric-key cryptography to authenticate users to network services. And IPSec is a typical security protocol that is used to construct VPN (virtual private network) in network layer of TCP/IP protocol.

When implementing secured Internet service combining Kerberos with IPsec security program, there are some problems.

Kerberos that was proposed as authentication system based on trusted third-party have been now developing by version 5 [1] and it used public key cryptography to verify client’s identification and share a secret key between user and Authentication Server or TGS server or Application Server [2,4] . Specially, the method to use ECDH key exchange and ECSig signature in sharing secret key between the user and the AS server [5] is proposed, but program to implement these methods completely is not yet published.

Because the combination parameters between IPSec and Kerberos are generally set, the gssapi_krb authentication method [3,6,7] that the present IPSec proposes can be now not used. These parameters must be set according to application service name and mechanism type, etc.

Httpd daemon with Kerberos authentication module(mod_auth_kerb) and Squid program with Kerberos authentication module(negotiate_auth) offer only a secured www service, and Kerberos V5 FTP program offers only secured ftp service of command-driven mode.

(Kerberos-aware Email application is also same as Kerberos V5 FTP program)

In the former case, user must configure Firefox browser to use Kerberos for Single Sign-on.

That is, it needs that user configure web browser to send user’s own Kerberos credentials to the appropriate KDC. In the latter case, user don’t use web browser.

If user wants to use Kerberos authentication service, user has to know how to use a web browser and secured FTP of command-based mode.

Paper proposes a PKINIT_AS Kerberos V5 authentication system to use public key cryptography and a method to implement the gssapi_krb authentication method and the secured Internet service using it in IPSec VPN.

Improved Kerberos authentication system using the public key cryptography is implemented on the assumption that KDC has public key certificates of clients previously, which has and ① ② message form other than default Kerberos authentication system. The authentication process of PKINIT_AS Kerberos authentication system proposed in this paper proceeds as follows.

① Client C sends signing its identification as own private key and its own public key certificate beside default request message to the AS.

② When AS receives the request message from client C and processes it, it identifies that public key of public key certificate in received message is the same as public key of public key certificate for the client in database, if these public keys are the same, it verifies signature using the key. If signature verification is successful, it proceeds with next step. AS sends encrypting secret session key(k c.tgs ) between client C and Ticket Granting Server(TGS) with client’s public key to the client.

③ Client decrypts received reply message from AS with secret Kc created by its password and then decrypts encrypted k c.tgs with its own private key P C -1 to get secrete session key k c.tgs between client and TGS.

The rest reception processes in client and the next steps of Kerberos authentication system are also same as default Kerberos processes.

To establish successfully the security contexts based on gssapi_krb between IPSec client and IPSec server, the Present IPSec security program sets combination parameter as follows.

Step 1: GSS-API initiator calls gss_import_name( ) to get the name of application server. Step 2: The client calls GSS_Init_sec_context() to establish a security context and sends the output_token to the server.

• .GSS_Init_sec_context() returns an output_token to be passed to the server

• The client may request various context-level functions through request flags of GSS_Init_sec_context().( for example, to enforce sequencing or to detect reply attack be applied to messages transferred on the established context and so on.)

The specification needs to pass GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG as req_flags, but original function hasn’t GSS_C_REPLAY_FLAG req_flag.

We add GSS_C_REPLAY_FLAG req_flag as req_flags of GSS_Init_sec_context().

Step 3: Server receives the token from the client and transfer it to gss_accept_sec_context( ) and set it to value of INPUT_TOKEN parameter.

• A call to GSS_Accept_sec_context() at the server returns a token.

• Specially, before the server call gss_accept_sec_context(), it calls gss_ import_name() and gss_canonicalize_name() to get client’s name, and then, acquire server’s credential calling gss_acquire_cred() with modified value as follow. maj_stat = gss_acquire_cred(&min_stat, canon_princ, GSS_C_INDEFINITE, GSS_C_NULL_OID_SET, GSS_C_ACCEPT, &gps->gss_cred,

This content is AI-processed based on open access ArXiv data.