PK_INIT Home Page

Plans for improvements to Kerberos include the addition of support for public key cryptography, in two main areas: the initial authentication, and cross-realm authentication. Public key cryptography makes it easier to scale key distribution and management. At this time, a preliminary version of changes to Version 5 of Kerberos to support the use of public keys in the initial authentication has been released.

PK_INIT is a package of modifications and extensions to Kerberos that allow users to authenticate themselves using a public key pair, rather than a DES key. As specified in the internet draft

draft-ietf-cat-kerberos-pk-init-03.txt

the response from the KDC is as before, except that instead of being encrypted using a shared secret DES key, it is instead encrypted using a random key. This random key is distributed between KDC and client in one of two ways:

• Standard PK_INIT: The random key is sent back in a preauthentication field accompanying the reply, signed with the KDC's private key and encrypted using the user's public key.
• Digital Signature: The random key is generated by the client and sent in the initial request, signed with the user's private key and encrypted using the KDC's public key.

The credentials obtained with PK_INIT are indistinguishable from ordinary Kerberos credentials and can therefore be used identically.

From here, you can

read the installation instructions
download the software if you are in the United States