Kerberos is a popular and widely deployed authentication protocol. It involves an entity known as a key distribution center (KDC), which manages client authentication and credential issuance. A client generally authenticates to the KDC in order to obtain credentials for access to networked computing resources. As a central, trusted entity, the KDC conveniently provides a single sign-on service to clients.
In its most common use, Kerberos permits client authentication by means of a user-supplied password. The KDC stores digests of these passwords for verification. Consequently, an adversary that breaches the KDC can compromise or at least substantially weaken the credentials of all users. More particularly, breach of the KDC reveals user passwords, albeit it in hashed form.
Password-based Kerberos protocol variants generally do not adequately support distributed password verification. For example, a given such variant may require the KDC to verify a ciphertext encrypted under a password-derived key, and therefore requires explicit access to the password or the derived key.
Accordingly, a need exists for techniques to support distributed password-based authentication in Kerberos and other protocols.