Performance of public-key-enabled Kerberos authentication in large networks

Several proposals have been made to public-key-enable various stages of the secret-key-based Kerberos network authentication protocol. The computational requirements of public key cryptography are much higher than those of secret key cryptography, and the substitution of public key encryption algorithms for secret key algorithms impacts performance. This paper uses closed, class-switching queuing models to demonstrate the quantitative performance differences between PKCROSS and PKTAPP - two proposals for public-key-enabling Kerberos. Our analysis shows that, while PKTAPP is more efficient for authenticating to a single server, PKCROSS outperforms the simpler protocol if there are two or more remote servers per remote realm. This heuristic can be used to guide a high-level protocol that combines both methods of authentication to improve performance.

[1]  Vasilios Zorkadis,et al.  Security Versus Performance Requirements in Data Communications Systems , 1994, ESORICS.

[2]  Lawrence E. Bassham Efficiency Testing of ANSI C Implementations of Round 2 Candidate Algorithms for the Advanced Encryption Standard , 2000, AES Candidate Conference.

[3]  K. Mani Chandy,et al.  Open, Closed, and Mixed Networks of Queues with Different Classes of Customers , 1975, JACM.

[4]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[5]  Daniel A. Menascé,et al.  Performance Issues in Large Distributed System Security , 1998, Int. CMG Conference.

[6]  Debanjan Saha,et al.  Transport layer security: how much does it really cost? , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[7]  Matt Blaze,et al.  High-Bandwidth Encryption with Low-Bandwidth Smartcards , 1996, FSE.

[8]  Clifford Neuman,et al.  Public Key Utilizing Tickets for Application Servers (PKTAPP) , 2000 .

[9]  Daniel A. Menascé,et al.  Scaling for E-Business: Technologies, Models, Performance, and Capacity Planning , 2000 .

[10]  Paul Ashley,et al.  A Survey of Secure Multi-Domain Distributed Architectures , 1997 .

[11]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[12]  Rich Friedrich,et al.  A Performance Study of the DCE 1.0.1 Cell Directory Service: Implications for Application and Tool Programmers , 1993, DCE Workshop.

[13]  Gianfranco Balbo,et al.  Computational algorithms for closed queueing networks , 1980 .

[14]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[15]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[16]  Marvin A. Sirbu,et al.  Distributed authentication in Kerberos using public key cryptography , 1997, Proceedings of SNDSS '97: Internet Society 1997 Symposium on Network and Distributed System Security.

[17]  Clifford Neuman,et al.  Public Key Cryptography for Cross-Realm Authentication in Kerberos , 2001 .