article

PrivaKERB: A user privacy framework for Kerberos

Authors:

R. Marin-Lopez,

G. Kambourakis,

A. F. GomezAuthors Info & Claims

Computers and Security, Volume 30, Issue 6-7

Pages 446 - 463

https://doi.org/10.1016/j.cose.2011.04.001

Published: 01 September 2011 Publication History

Abstract

Kerberos is one of the most well-respected and widely used authentication protocols in open and insecure networks. It is envisaged that its impact will increase as it comprises a reliable and scalable solution to support authentication and secure service acquisition in the Next Generation Networks (NGN) era. This means however that security and privacy issues related to the protocol itself must be carefully considered. This paper proposes a novel two-level privacy framework, namely PrivaKERB, to address user privacy in Kerberos. Our solution offers two privacy levels to cope with user anonymity and service access untraceability. We detail how these modes operate in preserving user privacy in both single-realm and cross-realm scenarios. By using the extensibility mechanisms already available in Kerberos, PrivaKERB does not change the semantics of messages and enables future implementations to maintain interoperability. We also evaluate our solution in terms of service time and resource utilization. The results show that PrivaKERB is a lightweight solution imposing negligible overhead in both the participating entities and network.

References

[1]

Transport Layer Security: how¿much does it really cost?. In: Proc. of IEEE INFOCOM 1999, vol.¿2. IEEE Computer Society, New York, NY, USA. pp. 717-725.

[2]

Apostolopoulos G, Peris V, Saha D. A critical review of 10 years of privacy technology. In: Proc. of proceedings of surveillance cultures: a global surveillance society? UK, April 2010.

[3]

Bagnulo M, Garcia-Martines A, Azcorra A. An architecture for network layer privacy. In; ICCC 2007: International Conference on Communications 2007, pages 1509-1514, Washington, DC, USA, 2007.

[4]

Anonymity analysis in credentials-based systems: a formal framework. Computer Standards & Interfaces. v30 i4. 253-261.

[5]

Bowen CL, Martin TL. A survey of location privacy and an approach for solitary users. In: Proc. of the 40th Annual Hawaii International Conference on System Sciences, page 163c, Washington, DC, USA, 2007.

[6]

Protocols for authentication and key establishment. Sept. 2003. Springer.

[7]

http://cryptnet.net/fdp/admin/kerby-infra/en/kerby-infra.html

[8]

Architecting pervasive computing systems for privacy: a survey. In: WICSA 2007: Proceedings of the Sixth working IEEE/IFIP conference on Software architecture, IEEE Computer Society, Washington, DC, USA. pp. 26

[9]

A survey of anonymity in wireless communication systems. Security and Communication Networks. v2 i5. 427-444.

[10]

Security and privacy objectives for sensing applications in wireless community networks. In: ICCCN 2010: Proceedings of 19th international conference on computer communications and networks, IEEE Computer Society, Washington, DC, USA. pp. 1095-2055.

[11]

ASN.1-communication between heterogeneous networks. Aug. 2001. 1st ed. Morgan Kaufmann Publishers.

[12]

Golle P. Revisiting the uniqueness of simple demographics in the US population. In: Proc. of 5th ACM workshop on Privacy in electronic society, Alexandria, VA, USA, Oct. 2006.

Digital Library

[13]

A Generalized framework for Kerberos pre-authentication. IETF internet draft, draft-ietf-krb-wg-preauth-framework-17. June 2010.

[14]

Using Kerberos V5 over the transport layer security (TLS) protocol. IETF internet draft, IETF draft-josefsson-kerberos5-starttls-09.txt. August 2010.

[15]

A framework for identity privacy in SIP. Journal of Network and Computer Applications. v33 i1. 16-28.

Digital Library

[16]

Kerberos WG. http://www.ietf.org/html.charters/krb-wg-charter.html.

[17]

http://www1.cse.wustl.edu/jain/cse571%E2%80%9309/ftp/kerb5/index.html

[18]

Profiling the mobile customer? Privacy concerns when behavioural advertisers target mobile phones. Computer Law & Security Review. v26 i5. 455-478.

[19]

caTBUA: context-aware ticket-based binding update authentication protocol for trust-enabled mobile networks. Wiley International Journal of Communication Systems. v23. 1382-1404.

[20]

TARP: ticket-based address resolution protocol. Elsevier Computer Networks. v51 i4. 4322-4337.

[21]

The use of HMAC-SHA-1-96 within ESP and AH. IETF RFC 2404. Nov. 1998.

[22]

Anonymous Credentials in Kerberos. IETF Internet Draft, IETF draft-ietf-cat-kerberos-anoncred-00.txt. March 1998.

[23]

The MIT Kerberos Consortium. http://www.kerberos.org.

[24]

MIT Kerberos Distribution. http://web.mit.edu/Kerberos/.

[25]

Narayanan A, Shmatikov V. Robust de-anonymization of large sparse datasets. In: Proc. of the 29th IEEE Symposium on Security and Privacy 2008, pages 111-125, Oakland, CA, USA, May 2008.

Digital Library

[26]

Neuman C, Yu T, Hartman S, Raeburn K. The Kerberos network authentication service (V5). IETF RFC 4120, July 2005a.

[27]

Neuman C, Yu T, Hartman S, Raeburn K. Encryption and Checksum specifications for Kerberos 5. IETF RFC 3961, February 2005b.

[28]

http://ssrn.com/abstract=1450006

[29]

Privacy-enhanced fast re-authentication for EAP-based next generation network. Computer Communications. v33 i14. 1682-1694.

[30]

http://dud.inf.tu-dresden.de/literatur/AnonTerminologyv0.34.pdf

[31]

PrivaKERB: A user privacy framework for Kerberos. Online material. http://quantum.inf.um.es/privakerb/online-material.pdf.

[32]

Advanced Encryption standard (AES) encryption for Kerberos 5. IETF RFC 3962. Feb. 2005.

[33]

Memorandum for multi-domain public key infrastructure interoperability. IETF RFC. v5217.

[34]

Uniqueness of simple demographics in the U.S. Population. Laboratory for international data privacy working paper.

[35]

On key distribution protocols for repeated authentication. ACM SIGOPS Operating Systems Review. v27 i4.

[36]

Privacy: the new generations. Oxford Journal International Data Privacy Law. 1-13.

[37]

Public key cryptography for initial authentication in Kerberos (PKINIT). IETF RFC 4556. June 2006.

[38]

Anonymity Support for Kerberos. IETF Internet Draft, IETF draft-ietf-krb-wg-anon-12.txt. August 2010.

Cited By

Feng QPeng W(2019)LDAPRoam: A Generic Solution for Both Web-Based and Non-Web-Based Federate AccessNetwork and Parallel Computing10.1007/978-3-030-30709-7_18(225-234)Online publication date: 23-Aug-2019
https://dl.acm.org/doi/10.1007/978-3-030-30709-7_18
Ferrag MMaglaras LArgyriou AKosmanos DJanicke H(2018)Security for 4G and 5G cellular networksJournal of Network and Computer Applications10.1016/j.jnca.2017.10.017101:C(55-82)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1016/j.jnca.2017.10.017
Pérez Méndez AMarín López RLópez Millán G(2018)Providing efficient SSO to cloud service access in AAA-based identity federationsFuture Generation Computer Systems10.1016/j.future.2015.12.00258:C(13-28)Online publication date: 30-Dec-2018
https://dl.acm.org/doi/10.1016/j.future.2015.12.002
Show More Cited By

PrivaKERB: A user privacy framework for Kerberos
1. Social and professional topics
  1. Computing / technology policy

Recommendations

KAMU: providing advanced user privacy in Kerberos multi-domain scenarios

In Next Generation Networks, Kerberos is becoming a key component to support authentication and key distribution for Internet application services. However, for this purpose, Kerberos needs to rectify certain deficiencies, especially in the area of ...
Real-world Deployment of Privacy-Enhancing Authentication System using Attribute-based Credentials
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

With the daily increase in digitalization and integration of the physical and digital worlds, we need to better protect users’ privacy and identity. Attribute-based Credentials (ABCs) seem to be a promising technology for this task. In this paper, we ...
The Evolution of Online Identity

The author proposes that we must significantly improve how we authenticate ourselves on various computer systems to address growing security and privacy threats. As part of that process, we must adopt an identity metasystem that relies on in-person ...

Comments

Information & Contributors

Information

Published In

cover image Computers and Security

Computers and Security Volume 30, Issue 6-7

September, 2011

203 pages

ISSN:0167-4048

Issue’s Table of Contents

Copyright © Elsevier Ltd © 2011.

Publisher

Elsevier Advanced Technology Publications

United Kingdom

Publication History

Published: 01 September 2011

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Feng QPeng W(2019)LDAPRoam: A Generic Solution for Both Web-Based and Non-Web-Based Federate AccessNetwork and Parallel Computing10.1007/978-3-030-30709-7_18(225-234)Online publication date: 23-Aug-2019
https://dl.acm.org/doi/10.1007/978-3-030-30709-7_18
Ferrag MMaglaras LArgyriou AKosmanos DJanicke H(2018)Security for 4G and 5G cellular networksJournal of Network and Computer Applications10.1016/j.jnca.2017.10.017101:C(55-82)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1016/j.jnca.2017.10.017
Pérez Méndez AMarín López RLópez Millán G(2018)Providing efficient SSO to cloud service access in AAA-based identity federationsFuture Generation Computer Systems10.1016/j.future.2015.12.00258:C(13-28)Online publication date: 30-Dec-2018
https://dl.acm.org/doi/10.1016/j.future.2015.12.002
Chattaraj DSarma MSamanta DShekhawat RGaur MElci AVaidya JMakarevich OPoet ROrgun MDhaka VBohra MSingh VBabenko LSheykhkanloo NRahnama B(2017)Privacy preserving two-server Diffie-Hellman key exchange protocolProceedings of the 10th International Conference on Security of Information and Networks10.1145/3136825.3136871(51-58)Online publication date: 13-Oct-2017
https://dl.acm.org/doi/10.1145/3136825.3136871
Zhang WWang XKhan M(2015)A virtual bridge certificate authority-based cross-domain authentication mechanism for distributed collaborative manufacturing systemsSecurity and Communication Networks10.1002/sec.10518:6(937-951)Online publication date: 1-Apr-2015
https://dl.acm.org/doi/10.1002/sec.1051
Arias Cabarcos PAlmenárez FGómez Mármol FMarín A(2014)To Federate or Not To FederateWireless Personal Communications: An International Journal10.1007/s11277-013-1338-y75:3(1769-1786)Online publication date: 1-Apr-2014
https://dl.acm.org/doi/10.1007/s11277-013-1338-y

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents