Kerberos Plus RSA for World Wide Web Security
Don Davis
Independent Consultant
Abstract
We show how to use Kerberos to enable its clients to interact securely
with non-Kerberized World Wide Web servers. That is, our protocol does
not require that the Web server be a member of a Kerberos realm, and
also does not rely on time-synchronization between the
participants. In our protocol, the Kerberos client uses the Web
server's public-key certificate to gain cryptographic credentials that
conform to public-key authentication standards, and to SHTTP. The
client does not perform any public-key encryptions. Further, the
client is well-protected from a man-in-the-middle attack that weakens
SSL. Our protocol conforms to the current specifications for the
Kerberos protocol and for the Secure Hypertext Transfer Protocol.
Download the full text of this paper in
ASCII (18,348 bytes) and
POSTSCRIPT (93,242 bytes) form.
To Become a USENIX Member, please see our
Membership Information.