网络安全 用户认证.pptVIP

* * * * The full Kerberos v4 authentication dialogue is shown in Stallings Table 14.1, divided into the 3 phases shown above. The justification for each item in the messages is given in Stallings Table 14.2. * * * * * * Stallings Figure 14.1 diagrammatically summarizes the Kerberos v4 authentication dialogue, with 3 pairs of messages, for each phase listed previously. * * * A full-service Kerberos environment consisting of a Kerberos server, a number of clients, and a number of application servers is referred to as a Kerberos realm. A Kerberos realm is a set of managed nodes that share the same Kerberos database, and are part of the same administrative domain. If have multiple realms, their Kerberos servers must share keys and trust each other. * Stallings Figure 14.2 shows the authentication messages where service is being requested from another domain. The ticket presented to the remote server indicates the realm in which the user was originally authenticated. The server chooses whether to honor the remote request. One problem presented by the foregoing approach is that it does not scale well to many realms, as each pair of realms need to share a key. * Have a range of approaches based on the use of public-key encryption, which generally assume that each of the two parties is in possession of the current public key of the other. The central system is known as an Authentication Server (AS). Have various protocols using timestamps or nonces, and again flaws were found in a number of the original proposals. See text for details. * A protocol using timestamps is provided in [DENN81] is shown above. The central authentication server (AS) only provides public-key certificates. The session key is chosen and encrypted by A; hence, there is no risk of exposure by the AS. The timestamps protect against replays of compromised keys. This protocol is compact but, as before, requires synchronization of clocks. * Have already presented public-key encryption approaches that are