The Kerberized Key Management Scheme

Kerberos is a distributed authentication service developed in the late 80s at M.I.T. [17]. Kerberos requests as a trusted third-party authority that provides authentication to all the actors in a distributed environment. Kerberos makes possible for a client and a server to authenticate each other and to establish a private communication channel. The Kerberized Key Management(KKM) Scheme provides a strong alternative to the BKM Scheme. We introduce a new component: the TCFS key server (TCFSKS) that maintains a database of master keys. Clients ( i.e., kerberized TCFS utilities such as tcfsputkey, or TCFS- aware applications) authenticate themselves on Kerberos, and obtaining a session key and a ticket, send to TCFSKS the requests (for example: get the user key or store a new key) over the network. Administrative operations, such as adding/removing users and group, can be performed in the same way. Since no changes have been made to the interface of front-end utilities, an user does not feel any difference between Kerberized and Basic Key Management procedures. The only substantial difference is that now all Key Management operations are performed over the network and thus several TCFS clients can share the same TCFS key database (in the BKMS the key db is local to the client).

Communication among client and TCFSKS follows these steps:

1. At the end of the Kerberos authentication, the client obtains the session key.
2. The client sends its request and its ticket to the TCFSKS.
3. The server decrypts the message and sends back the response and the ticket.
4. The client get the response and discards the ticket.