KDC and PAA components during the a

KDC and PAA components during the authentication and enforcement
phases.
During the EAP authentication (phase 1 in both cases), our proposal
shows faster processing times than the GSS-EAP Kerberos
pre-authentication proposal. In particular, the PAA (EAP authenticator
in the PANA-based proposal) requires significantly less time
(3 times lower) than the KDC (EAP authenticator in the GSSEAP-
based proposal) to perform the forwarding of the EAP packets
between the EU and the RAAA. This is because the KDC is a stateless
component, therefore any state associated to the EAP authentication
must be exported, sent to the EU, received from the EU and
imported for every roundtrip, as explained in [34]. This generates
an overload in both processing time and amount of data transmitted
in the network. Additionally, the EU also behaves faster in our
proposal than in the alternative. A large part of this difference (
11 ms) is also imputable to the stateless nature of the Kerberos
protocol, which means the EU tries to find the best available KDC
on each iteration, including the parsing of a list of available KDCs,
and their name resolution.5
In contrast, our proposal requires the realisation of two additional
phases (PANA enforcement and Kerberos authentication)
not required by the GSS-EAP-based proposal. Even though these
phases are simple, they spend considerable processing time
(18 ms) in executing the string-to-key function [59], which derives
a binary key from the textual password. The bottleneck problem
with the string-to-key function situation was already detected in
[60]. This call is not performed by the GSS-EAP-based proposal as
the binary key is derived directly from the MSK. This situation
would be mitigated if the implementation of the KADM interface
is optimized in such a manner that the use of binary keys is allowed
instead of textual ones. In this way, the call to the string-to-key
function would be avoided, so speeding up these phases and, consequently
making the overall process faster.
In summary, although the PANA-based federated access requires
about  11 ms more to complete a federated access to the
application service, we consider this almost negligible for the EU.
Furthermore, it is worth noting this extra time is only necessary
in the first access to an application service to bootstrap a security
association with the service provider’s KDC. Thanks to the Kerberos
SSO capabilities, subsequent access to application services are
based on the lightweight Kerberos operation. We conclude that
the proposal described in this paper imposes a minimal overload
worth assuming considering the benefits brought by the solution
in terms of simplicity and easy deployability.