基于公钥的Kerberos身份认证系统的设计与实现

南昌航空大学硕士学位论文基于公钥的Kerberos身份认证系统的设计与实现姓名：吴喜兰申请学位级别：硕士专业：计算机应用技术指导教师：舒远仲20080601IKerberosKerberosDESKDCKerberosKerberosKerberosKerberosPKIKerberosPKIKerberosKerberosKerberosPKIKerberosKerberosKerberosKerberosKerberosPKIIIABSTRACTKerberosisthemostpopularprotocolthatusedforidentityauthenticationindistributednetworkenvironment.Kerberosisanauthenticationprotocolbasedontrustedthird-partyandsymmetrykeycryptography.Itprovidesthemethodforthetwopartiesofthenetworkcommucationstoauthenticateeachidentity,andensurethenetworksecurityinacertainextent.ThelimitationsofKerberosincludepasswordguessingattacks,replayingattacks,thesynchronizationofclockandmemoryofsecretkey.NowmanyresearchershavegivensomeextentschemewhichintegratestheKerberosandPKI.ThoseschemespartlyenhancetheKerberossystem’ssecurity,butmanagethecertificatesandCRLwithoutusingthePKI.Sotheproblemofbottlenecksstillexists.ThepaperanalysestheKerberosprotocol,PKItechnologyandsomeauthenticationmethodintegratingpublickeycryprographyinKerberos,andpicksoutsomelimitationsofKerberosprotocol.Justasthoselimitations,animprovedKerberosprotocolwithpublickey,whichisoverthePKItechnology,accesscontrolandKerberosprotocol,isintroducedandtheideaaboutAuthenticationServiceExchange,TicketGrantingExchangeandClient/ServerExchangeisgiveninthispaper.Withoutchangingitsformerframe,thenewprotocolenhanceditssecurityperformance.ComparedwiththeKerberosV5theimprovedprotocolwithdoublefactorsauthenticationtechnologyhassomeimprovementinmanyaspects,includingmemoryofsecretkey,thesynchronizationofclock,passwordguessingattacksandthenon-repudiationticket.AnewmodelofauthenticationsystemisdesignedbasedontheimprovedKerberosprotocol.Ithashighersecurityandpracticability,whichiseasiertoextend,andconsistsofclientserverandcertificatemanagementcenter.Thepaperanalysesthewholeschemeoftheauthenticationmodel,theprocessofauthenticationsystem,meanwhiledesignedandrealizedthemodelstructureofauthenticationmodelandtheintegrateapplicationinsystem.KeywordsKerberos,PKI,IdentityAuthentication1111.1[1]1.2(1)[2]12(2)USBKeya.CPUCPUb.USBKeyUSBKeyUSBKeyUSBKey(3)One-TimePassword[3](4)[4]13Kerberos1./(challenge/response)(AS)()2.Kerberos[5]Kerberos[6]KerberosTCP/IP[7]IP3.(PublicKeyInfrastructure)[8]-CA1.3KerberosKerberosKerberosUnix[9]4554InternetRFC1510[10]KerberosMicrosoftERP()Cisco(TACACS/XTACACS)(RADIUS)14KerberosSUNMicrosystemsSolarisIBMAIXHPHP-UXMicrosoftWindows2000LinuxRedhatKerberosKtelnetedKrlogindKrshdtelnetrlogindrshdJavaJava(JAAS)KerberosKerberosKerberos[11][12]KerberosKerberosKerberosKerberosIETFPKINIT[13]TGTKerberosPKINITKerberosPAKerberosPKCROSS[14]PKINITKerberosPKCROSSKerberosPKDA[15]KerberosKDCKDCKDC“”(PKDA)PKDAKerberosKerberos[16]Kerberos[17]SmartCardsKerberos[18]X.509DNSKerberosPKINITKerberosKerberos151.4PKIKerberosKerberosKerberosKerberos1.Kerberos2.PKI[19][20]KerberosKerberos3.1.512KerberosPKIKerberosPKI3KerberosKerberosKerberos4562KerberosPKI62KerberosPKI2.1KerberosKerberos[21](MIT)Athena[22]3KerberosKerberosKerberosKerberosKerberosKerberos2.2KerberosKerberos[23]KDCKeyDistributionCenterKDC(AS)(TGS)Kerberos(AS)(TGT)(TGS)(TS)(V)2KerberosPKI72.2.1KerberosKerberos[24]IDcIPcIPTSRealmcCKerberosOptionsTimesNounceSeq#Kerberos2-1AS_REQAS_REPTGS_REQTGS_REPAP_REPAP_REQ2-1Kerberos(1)(AS)(TGT)C→ASAS_REQ=IDcIDtgsTimesNounce1RealmcOptionsAS→CAS_REP=RealmcIDcTickettgsEKc(Kc,tgsTimesNounce1RealmtgsIDtgs)Tickettgs=EKtgs(RealmcIDcIDtgsIPcTimesKc,tgsFlags)(AS)TGTASTGS1KerberosAS2KerberosPKI8KcASKc,tgsTGSASTGS(TGT)TGSIPKc,tgsTGSKtgsTGSASTGTKc(2)(TGS)(TS)C→TGSTGS_REQ=IDvTimesNounce2TickettgsAuthenticator1OptionsAuthenticator1=EKc,tgs(IDcRealmcTS1)TGS→CTGS_REP=RealmcIDcTicketvEKc,tgs(Kc,vTimesNounce2RealmvIDv)Ticketv=EKv(IDcIDvIPcTimesKc,vRealmcFlags)ASKcKc,tgs(TGS)V(TS)V2TGT11Kc,tgsCKerberosTGSKtgsTGT“Kc,tgsC”TGSTGTKc,tgs11TGTTGTCTGTTGSKc,vTGSVTSTSIPKc,vVKvVTGSTSKc,tgs(3)C→VAP_REQ=OptionsTicketvAuthenticator2Authenticator2=EKc,v(IDcRealmcTS2SubkeySeq#)V→CAP_REP=EKc,v(IDc)RealmcTS2SubkeySeq#TGSTGS_REPKc,tgsKc,vVAP_REQVTSKc,v2VTGS_REPTSKc,v222KerberosPKI9TSCKc,v2.2.2Kerberos[25]KerberosKerberosinter-realm-keyKerberosKerberosKerberosKerberosKerberosKerberosKerberosTGSTGSTGSTGSTGS[26]Vrem2-22KerberosPKI10A1.TGS3.TGS2.TGS4.TGSB5.6.ASTGSTGSAS7.2-2Kerberos(1)C→AS{IDc,IDtgs,TS1}(2)AS→C{EKc(Kc,tgs,IDtgs,TS2,Times,Tickettgs)}(3)C→TGS{IDtgsrem,Tickettgs,Authenticatorc}(4)TGS→C{EKc,tgs(Kc,tgsrem,IDtgsrem,TS4,Tickettgsrem)}(5)C→TGSrem{IDvrem,Tickettgsrem,Authenticatorc}(6)TGS→C{EKc,tgsrem(Kc,vrem,IDvrem,TSb,Ticketvrem)}(7)C→Vrem{Ticketvrem,Authenticatorc}2.3KerberosKerberos(1)KerberosASTGSTGTASKcKcHashTGT2KerberosPKI11(2)Kerberos(3)KerberosASTGS(4)Kerberos(5)KerberosKerberos(6)KerberosKerberosKerberosKerberos(7)KerberosKerberos“Kerberized”2.4PKIPKI(PublicKeyInfrastructure)PKIPKI2KerberosPKI12X.509CACAPKICertificateAuthorityCARegistrationAuthorityRAKeyCertificate2.4.1CACAPKICAPKICA[27]CA2.4.2RARACARACARARA(1)(2)(3)(4)CA(5)(6)CA2KerberosPKI13(7)CRLCRLCRL(8)RA(9)2.4.3LDAPCACertificateRevocationListCRLLDAPCRLLDAPCRLCRL2.4.4PKICACACA//CACA2.4.5PKICRLOnlineC