Kerberos is a widely used protocol for authenticating users over insecure networks. However, its traditional design faces challenges in resource-constrained Internet-of-Things (IoT) environments, including computational inefficiencies, lack of clock synchronization, and limited scalability. In addition to these limitations, Kerberos remains vulnerable to several modern attacks such as password-guessing, Kerberoasting, Golden Ticket, and Silver Ticket attacks. KESIC, proposed by Prapty et al., adapts Kerberos for IoT by introducing optimizations. However, it relies on symmetric cryptography for authentication and key exchange, increasing computational complexity and resource consumption. Additionally, it remains susceptible to password-based attacks and inefficiencies in large-scale deployments, necessitating a more secure and lightweight approach. This research paper proposes two novel protocols to address these issues: (1) Kerberos with FIDO (Fast Identity Online) Integration (KFI), which integrates FIDO’s passwordless authentication to eliminate password-derived vulnerabilities; and (2) Kerberos with FIDO and Lightweight Extension for IoT (KFLIT), which extends KFI by incorporating lightweight HMAC and XOR operations to reduce computational overhead, counter-based synchronization to eliminate dependency on real-time clocks, and an attestation mechanism to verify IoT device integrity before granting access. A comprehensive security analysis, formal verification, and comparative evaluation validate the effectiveness of KFI and KFLIT, demonstrating their potential to enhance authentication security, efficiency, and scalability in IoT environments.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

KFLIT: Kerberos with FIDO and Lightweight Extension for Internet of Things

  • Harshit Tyagi,
  • Divyashikha Sethia

摘要

Kerberos is a widely used protocol for authenticating users over insecure networks. However, its traditional design faces challenges in resource-constrained Internet-of-Things (IoT) environments, including computational inefficiencies, lack of clock synchronization, and limited scalability. In addition to these limitations, Kerberos remains vulnerable to several modern attacks such as password-guessing, Kerberoasting, Golden Ticket, and Silver Ticket attacks. KESIC, proposed by Prapty et al., adapts Kerberos for IoT by introducing optimizations. However, it relies on symmetric cryptography for authentication and key exchange, increasing computational complexity and resource consumption. Additionally, it remains susceptible to password-based attacks and inefficiencies in large-scale deployments, necessitating a more secure and lightweight approach. This research paper proposes two novel protocols to address these issues: (1) Kerberos with FIDO (Fast Identity Online) Integration (KFI), which integrates FIDO’s passwordless authentication to eliminate password-derived vulnerabilities; and (2) Kerberos with FIDO and Lightweight Extension for IoT (KFLIT), which extends KFI by incorporating lightweight HMAC and XOR operations to reduce computational overhead, counter-based synchronization to eliminate dependency on real-time clocks, and an attestation mechanism to verify IoT device integrity before granting access. A comprehensive security analysis, formal verification, and comparative evaluation validate the effectiveness of KFI and KFLIT, demonstrating their potential to enhance authentication security, efficiency, and scalability in IoT environments.