An authentication server may run according to the Kerberos authentication protocol designed to provide reliable authentication over open and insecure networks in which the communication between a client device and the authentication server may be intercepted by an attacker. A user, through a client device, may request certain services from an application server. Prior to granting the request, the client device may need to make an authentication request to an authentication server operating according to the Kerberos authentication protocol. The authentication request may start a mutual authentication between the client device and the authentication server. According to the Kerberos authentication protocol, in response to the authentication request, the authentication server may transmit a pre-authentication request to the client to initiate a pre-authentication process. In response to receiving the pre-authentication request from the authentication server, the client device may resubmit the authentication request along with a timestamp encrypted with a user long term key. The timestamp reflects a time according to a clock of the client device. In response to receiving the resubmitted authentication request including the encrypted timestamp, the authentication server may decrypt the timestamp and compare the timestamp with a current time of the authentication server and determine whether the timestamp is in line with a clock of the authentication server. If the timestamp is in line with the clock of the authentication server, the authentication server may initiate the authentication process.
The pre-authentication using a timestamp, however, requires clock synchronization between the client device and the authentication server. In addition, a legitimate authentication request may fail if the clocks are not synchronized properly.