A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Common Authentication Technology Next Generation of the IETF.
Title : SPAKE Pre-Authentication
Authors : Nathaniel McCallum
Filename : draft-ietf-kitten-krb-spake-preauth-00.txt
Pages : 22
Date : 2017-06-06
This document defines a new pre-authentication mechanism for the
Kerberos protocol that uses a password authenticated key exchange.
This document has three goals. First, increase the security of
Kerberos pre-authentication exchanges by making offline brute-force
attacks infeasible. Second, enable the use of secure second factor
authentication without relying on FAST. This is achived using the
existing trust relationship established by the shared first factor.
Third, make Kerberos pre-authentication more resilient against time
synchronization errors by removing the need to transfer an encrypted
timestamp from the client.