Performance evaluation of kerberos cross-realm authentication using SIMNET

Abstract

Today, the network is being implemented in such a manner that consist of geographi- cally diverse clients and distributed as well as centralized servers. To prevent unauthorized access to system resources such as servers, authentication is required. Kerberos is a trusted third party network authentication protocol which securely authenticates the users over insecure communication channel. Due to change in requirements and better utilization of resources, the client and server may reside across organizational boundary. To access such resources, a user has to authenticate itself. Cross-realm authentication is such a technique which facilitates authentication across the realms. In Cross-realm authentication, initially a user has to authenticate to it local Authentication Server (AS) and get the credentials. Acquired credentials are used to authenticate the user to the application server which resides over destination realm. Crescenzo and Kornievskaia designed an e cient protocol for cross-realm authentica- tion that decreases communication over the internet. They considered an extension to the original Kerberos protocol that enables cross-realm operations, identi ed its ine ciencies and proposed an alternative protocol called Fake Ticket Protocol (FTP). In FTP, local AS generates a ticket for the user to access the application server in destination realm and instead of sending it to destination AS, it is forwarded to the application server directly by user. Because application server cannot determine the legitimacy of ticket, it was named as Fake Ticket and so the protocol as Fake Ticket Protocol. Simnet is a network simulator which provides the functionality to simulate network security protocols. Using Simnet, we implemented Kerberos and FTP with their full capabilities. The aim of this thesis is to do the performance evaluation of the kerberos protocol vi and Fake Ticket Protocol for the Cross-Realm approach using Simnet. The simulation results show that in the scenario where a client repeatedly authen ticates to a stateless server using the same ticket, the original Kerberos cross-realm protocol performs better than FTP. In the case that the client authenticates to the server only once, FTP does better.