Kerberos协议简介 - 科学院高能物理研究所.pptVIP

Introduction of Kerberos What is Kerberos? Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Why needs Kerberos? The Internet is an insecure place. Many Internet protocols ~ no security. malicious hackers ~ sniff passwords Application Sending unencrypted passwords ~ extremely vulnerable. Client/server ~ the client program to be honest Client/server ~ the client to restrict its activities to those which it is allowed to do Firewall~ security problems? A very bad assumption that the bad guys are on the outside ~Most of the really damaging incidents of computer crime are carried out by insiders. A significant disadvantage~ Restrict how your users can use the Internet. In many places, these restrictions are simply unrealistic and unacceptable. Who ~ Kerberos? 1988,MIT, as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After this, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business. The Whole Authentication Simplified Principle Two Concepts Long-term Key/Master Key： 使用原则：被Long-termKey加密的数据不应该在网络上传输。 但是密码却又是证明身份的凭据，所以必须通过基于你密码的派生的信息来证明用户的真实身份，在这种情况下，一般将你的密码进行Hash运算得到一个Hash code, 这叫做Master Key。 由于Hash Algorithm是不可逆的，同时保证密码和Master Key是一一对应的，这样既保证了你密码的保密性，又同时保证你的Master Key和密码本身在证明你身份的时候具有相同的效力。 Short-term Key/Session Key： Where ? Key？ Short-termKey Session Key（SServer-Client） Kerberos Distribution Center (KDC) 所有帐户的Account Database ~ Master Key KDC ? SServer-Client ↑ ~ Authenticator 只要通过一个双方知晓的Key就可以对对方进行有效的认证，但是在一个网络的环境中，这种简单的做法是具有安全漏洞，为此,Client需要提供更多的证明信息，我们把这种证明信息称为Authenticator Authenticator = ClientInfo + Timestamp Session Ticket =被Server的Master Key加密过的 (ClientInfo + Session Key ) Some Advantages Why Timestamp？ Mutual Auth