KTCGM: Towards A novel solution for enhancing Kerberos-5 with threshold cryptography and ML-based anomaly detection

Since its introduction at MIT in 1993, the Kerberos 5 protocol has been a fundamental pillar of network authentication, using symmetric key cryptography and a centralized Key Distribution Center (KDC) to secure distributed computing environments. While it improved on its predecessors by offering stronger encryption and cross-domain functionality, it no longer fully meets the demands of modern systems due to its major drawbacks: the risk of a single point of failure in the KDC, vulnerability to password-based attacks, and a strict reliance on synchronized clocks for replay protection. To address these limitations, we recommend some significant modifications. Instead of a centralized KDC, we employ a network of nodes with the shared master key using threshold cryptography in such a way that even when part of the nodes are compromised, the system remains unaffected. To eliminate the need for synchronized clocks, we replace timestamp-based authentication with nonce-based authentication and a short-term cache for replay protection. To provide extra security against password attacks, we add machine learning-based anomaly detection, which monitors authentication patterns in real-time at all times. In case of suspicious activity, the system adaptively triggers adaptive multi-factor authentication (MFA). This context-aware adaptive MFA will wisely switch security features by location or device context, trying to strike a balance between security and convenience. Additionally, we optimize nonce management with efficient caching techniques to minimize storage overhead and enhance scalability by distributing the authentication load across multiple nodes. While these extensions significantly enhance Kerberos 5's resistance and adaptability to today's distributed systems, they come with trade-offs. A distributed KDC introduces some overhead and will have a minor impact on performance, while nonce handling, anomaly detection, and MFA consume additional computational resources. Our analysis shows, however, that these costs are counteracted by higher availability, increased resistance to attack, and increased flexibility within the authentication process. Future developments will focus on optimizing and scaling it. In rectifying Kerberos 5's inherent weaknesses, this work makes it ready for modernization in the context of large networks, allowing it to become a more stable and forward-thinking method of authentication.