Browse Prior Art Database

Smarter Method for Integration of One Time Password (OTP) with Kerberized Session keys in Kerberos handshake for Enhanced Security and Beyond Usage

IP.com Disclosure Number: IPCOM000188599D
Original Publication Date: 2009-Oct-15
Included in the Prior Art Database: 2009-Oct-15
Document File: 2 page(s) / 78K

Publishing Venue

IBM

Abstract

Disclosed is a method which aids in having the Kerberos session keys to be used beyond its traditional use in a kerberized client-server session. The method uses integration of One Time Password (OTP) with kerberized session keys in Kerberos handshake for enhanced security and beyond usage.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 53% of the total text.

Page 1 of 2

Smarter Method for Integration of One Time Password (OTP) with Kerberized Session keys in Kerberos handshake for Enhanced Security and Beyond Usage

In Kerberos handshake the session key provided by the Key Distribution Server (KDC) for authentication and secure encryption between the Kerberos client and the kerberized server are randomized with no user or administrator control over it. While this design works fine but it imposes limited usage of the session key restricting it only for authentication and secure communication between the Kerberos client and Kerberos server. There is a need for generation of session keys such that the session key can be used beyond the Kerberos client-server applications and at the same time maintain the norms of security. Below is one such manifestation describing the need.

Manifestation: In an kerberized Network File Server Version 4 (

NFS V4) client -server setup

wherein the NFS server is integrated with Encrypted File System (EFS, where EFS has its own keys per user protecting the underneath files)
- The NFS v4 client will first need to authenticate with the NFS V4 server using the Kerberos handshake. On successful handshake the NFS client and server will share a session key securely

passed by the KDC ( via tickets) for secure communication between the two.

- On accessing remote files over EFS, the NFS V4 client will have to separately send the user's EFS Keys to the NFS server using the session key obtained above for secure communication.
- The NFS v4 server will obtain the EFS keys to access the EFS files and then send the requested data securely to the NFS client using the session key,

Issues:
- An extra round trip in exchanging the EFS keys between the NFS client and the server. Hampers performance which is a key consideration in security.
-

NFS Client is burden with an extra authority/responsibility to collect and transmit user's EFS

key. Its a client and hence burdening it with server like capabilities is a overkill.
- Does not facilitate a seamless Single Sign On , which is a strong need for consumability in system security solutions.

Disclosed steps addressing problem:


Step 1: Integrate the Ticket Granting Server (

part of KDC) with a OTP server which

periodically generates one time password for a given hostname which is typically a part of the

service principal name and username ( which is the principal requesting for the session ticket). In short, the OTP server generates OTP for a given user on a given host, where user and host information is obtained from the Kerberos request.

St...