Security '01 Abstract
Kerberized Credential Translation: A Solution to Web Access Control
Olga Kornievskaia, Peter Honeyman, Bill Doster, Kevin Coffman; Center for Information Technology Integration, University of Michigan, Ann Arbor
Kerberos, a widely used network authentication mechanism, is integrated into
numerous applications: UNIX and Windows 2000 login, AFS,
Telnet, and SSH to name a few. Yet, Web applications rely on
SSL to establish authenticated and secure connections. SSL
provides strong authentication by using certificates and public key challenge
response authentication. The expansion of the Internet requires each system to
leverage the strength of the other, which suggests the importance of
interoperability between them.
This paper describes the design, implementation, and performance of a system
that provides controlled access to Kerberized services through a browser.
This system provides a single sign-on that produces both Kerberos and public
key credentials. The Web server uses a plugin that translates public key
credentials to Kerberos credentials. The Web server's subsequent authenticated
actions taken on a user's behalf are limited in time and scope. Performance
measurements show how the overhead introduced by credential translation is
amortized over the login session.
- View the full text of this paper in
The Proceedings are published as a collective work, © 2001 by the USENIX Association. All Rights Reserved. Rights
to individual papers remain with the author or the author's employer.
Permission is granted for the noncommercial reproduction of the complete
work for educational or research purposes. USENIX acknowledges all
trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.