A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Common Authentication Technology Next Generation WG of the IETF.
Title : SPAKE Pre-Authentication
Authors : Nathaniel McCallum
Filename : draft-ietf-kitten-krb-spake-preauth-03.txt
Pages : 31
Date : 2017-11-30
This document defines a new pre-authentication mechanism for the
Kerberos protocol that uses a password authenticated key exchange.
This document has three goals. First, increase the security of
Kerberos pre-authentication exchanges by making offline brute-force
attacks infeasible. Second, enable the use of second factor
authentication without relying on FAST. This is achieved using the
existing trust relationship established by the shared first factor.
Third, make Kerberos pre-authentication more resilient against time
synchronization errors by removing the need to transfer an encrypted
timestamp from the client.
I've asked Ekr to approve the request (it's recommended that I get
AD approval before talking to IANA, since they're just going to come
back and ask for it), so hopefully the process will get into motion