The Performance of Public Key-Based Authentication Protocols

  • Kaiqi Xiong
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7645)


Kerberos has revolved over the past 20 years. Kerberos and its variants have been extensively used in a variety of commuting systems since 1999. Among them, there have been several techniques and protocols to integrate public key cryptography into Kerberos. Public-Key Cross Realm Authentication in Kerberos (PKCROSS) is one of these protocols. It has been proposed to simplify the administrative burden of maintaining cross-realm keys so that it improves the scalability of Kerberos in large multi-realm networks. Public Key Utilizing Tickets for Application Servers (PKTAPP) is another protocol that has been suggested to improve the scalability issue of PKCROSS. Performance evaluation is a fundamental consideration in the design of security protocols. But, the performance of these two protocols has been poorly understood in a large-scale network. In this paper, we present an efficient way to study the performance of PKCROSS and PKTAPP. Our thorough performance analysis of these two protocols shows that PKTAPP does not scale better than PKCROSS. In this paper, we report our recent results of when PKCROSS still outperforms than PKTAPP in multiple remote realms.


Public-key infrastructure (PKI) Kerberos Authentication Performance Transaction time 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Amir, Y., Kim, Y., Nita-Rotaru, C., Tsudik, G.: On the performance of group key agreement protocols. ACM Transactions on Information and Systems Security (TISSEC) 7(3), 1–32 (2004)Google Scholar
  2. 2.
    Amir, Y., Kim, Y., Nita-Rotaru, C., Schultz, J., Stanton, J., Tsudik, G.: Secure group communication using robust contributory key agreement. IEEE Transactions on Parallel and Distributed Systems 15(5), 468–480 (2004)CrossRefGoogle Scholar
  3. 3.
    Al-Janabi, S.: Public-Key Cryptography Enabled Kerberos Authentication. In: Developments in E-systems Engineering, DeSE (2011)Google Scholar
  4. 4.
    Altman, J.: NIST PKI 2006: Integrating PKI and Kerberos (2007),
  5. 5.
    Altman, J.: Personal communication (2007)Google Scholar
  6. 6.
    Barry, D.: Web Services and Service-Oriented Architecture: Your Road Map to Emerging IT. Morgan Kaufmann (2003)Google Scholar
  7. 7.
    Bruell, S., Balbo, G.: Computerational Algorithms for Closed Queueing Netowrks. In: Denning, P.J. (ed.) Science Library. Elsevier North Holland, Inc., New York (1980)Google Scholar
  8. 8.
    Buckley, S.: MIT Kerberos Consortium Proposal to Sponsors (2008),
  9. 9.
  10. 10.
    Dai, W.: Crypto++ 3.1 benchmarks (2007),
  11. 11.
    Davis, D.: Kerberos plus RSA for world wide web security. In: Proceedings of the First USENIX UNIX Workshop on Electronic Commerce, New York City, New York (July 1995)Google Scholar
  12. 12.
    Davis, D.: Compliance defects in public-key cryptography. In: Proceedings of the Sixth USENIX UNIX Security Symposium (USENIX Security 1996), San Jose, California (July 1996)Google Scholar
  13. 13.
    Dongara, P., Vijaykumar, T.N.: Accelerating private-key cryptography via multithreading on symmetric multiprocessors. In: Proc. IEEE Int’l Symp. Performance Analysis of Systems and Software (ISPASS 2003), pp. 58–69. IEEE Press (2003)Google Scholar
  14. 14.
    Doster, W., Watts, M., Hyde, D.: The KX.509 Protocol (2001),
  15. 15.
    Garman, J.: Kerberos: The Definitive Guide. O’Reilly (2003)Google Scholar
  16. 16.
    Kirsal, Y., Gemikonakli, O.: Further Improvements to the Kerberos Timed Authentication Protocol. In: Sobh, T., Elleithy, K., Mahmood, A., Karim, M. (eds.) Novel Algorithms and Techniques In Telecommunications, Automation and Industrial Electronics. Springer (2008)Google Scholar
  17. 17.
    Liang, W., Wang, W.: A Quantitative study of authentication and QoS in Wireless IP Networks. In: Proceedings of the 24th IEEE Conference on Computer Communications, INFOCOM (2005)Google Scholar
  18. 18.
    Hardjono, T.: Kerberos on the Web: Update. MIT Kerberos Consortium (December 2005),
  19. 19.
    Heimdal. PKCROSS for Heimdal (April 2008),
  20. 20.
    Heimdal. Initial version of PKCROSS Implementation. Heimdal Discussion Mailing List (April 2008),
  21. 21.
    Harbitter, A., Menasce, D.: Perofrmance of public-key-enabled Kerberos authentication in large networks. In: Proceedings of 2001 IEEE Symposium on Security and Privacy, Oakland, California (2001)Google Scholar
  22. 22.
    Hur, M., Tung, B., Ryutov, T., Neuman, C., Medvinsky, A., Tsudik, G., Sommerfeld, B.: Public key cryptography for cross-realm authentication in Kerberos (PKCROSS) (May 2001),
  23. 23.
    Kaufman, C.: Internet Key Exchange (IKEv2) Protocol (December 2005),
  24. 24.
    Kohl, J., Neuman, C.: RFC 1510: The Kerberos network authentication service, v5 (1993),
  25. 25.
    KX.509. KX.509 Source (2007),
  26. 26.
    Medvinsky, A., Hur, M., Neuman, C.: Public key utilizing tickets for application servers (PKTAPP) (January 1997),
  27. 27.
    The MIT Kerberos Consortium. Proposal for corporate sponsors (2007),
  28. 28.
    Muntz, R., Chandy, K., Baskett, F., Palacios, F.: Open, closed, and mixed networks of queues with different classes of customers. Journal of the ACM (April 1975)Google Scholar
  29. 29.
    Neuman, B., Tung, B., Way, J., Trostle, J.: Public key cryptography for initial authentication in Kerberos servers (PKINIT 2002) (October 2002),
  30. 30.
    Patel, A., Leung, K., Khalil, M., Akhtar, H.: Authentication protocol for mobile IPv6 (2006),
  31. 31.
    Pathan, K., Deshmukh, S., Deshmukh, R.: Kerberos Authentication System?A Public Key Extension. International Journal of Recent Trends in Engineering (May 2009)Google Scholar
  32. 32.
    Sirbu, M., Chuang, J.: Distributed authentication in Kerberos using public key cryptography. In: IEEE Symposium On Network and Distributed System Security, NDSS 1997 (1997)Google Scholar
  33. 33.
    Steiner, M., Tsudik, G., Waidner, M.: Diffie-Hellman key distribution extended to group communication. In: Proceedings of the 3rd ACM Conference on Computer and Communications Security, CCS 1996 (1996)Google Scholar
  34. 34.
    Zhu, L., Tung, B.: RFC 4556: Public key cryptography for initial authentication in Kerberos (PKINIT) (June 2006),

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Kaiqi Xiong
    • 1
  1. 1.College of Computing and Information SciencesRochester Institute of TechnologyRochesterUSA

Personalised recommendations