Kerberos implemented at Instituto Superior Técnico, Universidade de Lisboa, Portugal
KerbIST is a simplified version of the Kerberos network authentication protocol, designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of the protocol is available from the Massachusetts Institute of Technology.
This implementation, KerbIST, is available from Instituto Superior Técnico. It is used in the Distributed Systems course of the Degree in Computer Science and Engineering.
KerbIST is implemented in the Java programming language using the JAX-WS library (Java API for XML Web Services).
Kerberos is used to authenticate clients and server communicating over an untrusted network using secret key cryptography.
To allow the authentication, each client C and server S needs to share a secret key with the authentication server Saut. For each C, there is a secret key Kc, that is known only by the client and by Saut. For each S, there is a secret key Ks, that is known only by the server and by Saut.
After the correct protocol execution, a client and a server share a key, Kcs, known only by them and Saut. Using Kcs it is possible to derive other keys and use them for message-authentication codes and for message encryption.
The following figure presents the simplified KerbIST protocol.
The simplified version of the Kerberos has only the Saut component. The TGS (Ticket Granting Service) is not present, as in the full protocol.
The use of timestamps for freshness imply that there must be clock synchronization between all the participants in the system.
KerbIST is composed of 4 modules:
- kerby-contract - interface description exported in WSDL format
- kerby-ws - authentication and ticket issuing web service
- kerby-ws-cli - authentication client
- kerby-lib - application library to issue and use tickets and other data structures
KerbIST requires Java Developer Kit 8 running on Linux, Windows or Mac. Maven 3 is also required.
To confirm that you have it installed, open a terminal and type:
javac -version
mvn -version
The UDDI Naming library is required and needs to be manually downloaded and installed:
git clone https://github.com/tecnico-distsys/naming
cd naming
cd uddi-naming
mvn clean install -DskipTests
To compile and install all modules:
mvn clean install -DskipTests
The tests are skipped because they require the server to be running.
To generate a combined javadoc:
mvn javadoc:aggregate -pl :kerby,:kerby-lib,:kerby-ws-cli
The javadoc aggregates classes from the mentioned modules.
To start the server:
cd kerby-ws
mvn exec:java
To deploy a KerbIST server, the program should be started with a URL containing a public DNS name or IP address instead of the default 'localhost' used for development.
We use SemVer for versioning.
- Miguel L. Pardal - Initial work - miguelpardal
- Guilherme Ilunga - server implementation - GIlunga
- Miguel Amaral - handler library - miguel-amaral
See also the list of contributors who participated in this project.
This project is licensed under the MIT License - see the LICENSE.md file for details
- All the Distributed Systems students for their feedback
- Other members of the Distributed Systems teaching staff