E N D
1. ??? ???? Authentication
2. ?? 5.1 ????????
5.2 ?????????
5.3 Kerberos ??????
5.4 ??X509?????
5.5 ???????????
3. 5.1 ?????? 5.1.1???????
5.1.2?????????
5.1.3???????
5.1.4?????????
4. ????????????? ???????(ID):
uid,uid@domain
DN: C=CN/S=Beijing /O=Tsinghua University/U=CS/ CN=Duan Haixin/Email=dhx@cernet.edu.cn
??????(??),??????????
5. ????????????? ???????,??????????,??????????????
6. ????????????? ????
??????????
????
????(Single Sign-On)
????????????????????
???????
7. ????????? ???????(What you know )
????????
???????(What you have )
??????????????????
????????(What you are)
??,??,??,??,??,???,??
?????????
8. ????????? ???(Claimant)
???(Verifier)
????AI(Authentication Information)
?????(Trusted Third Party)
9. ?????????/?? ??????
??/????
???????(OTP)
Kerberos??
???????????
???????????
10. ?? 5.1 ????????
5.2 ?????????
5.3 Kerberos ??????
5.4 ??X509?????
5.5 ???????????
11. 5.2 ????????? 5.2.1??/???? (Challenge/Response)
5.2.2 ?????(OTP)
5.2.3 ?????
12. ??/??????(CHAP) Challenge and Response Handshake Protocol
Client?Server??????
13. ???????(OTP) S/Key
SecurID
14. ???? ????
????“?????”????,??????
???????:
????????????;
???????;
????????????????????
???????:
????????
????
??????
15. ???? ?????:
????????;
?ID??;
???????;
???;
????????
????????????,?????????,
????????
???????????????????????????????????:
??????????:?????
????????????:?????
16. ???? ?????
???????????,???????????????????
?????
?????????????????
???????5?10???,???????????????
??????
?????????????
17. ?? 5.1 ????????
5.2 ?????????
5.3 Kerberos ??????
5.4 ??X509?????
5.5 ???????????
18. 5.3 Kerberos ???? 4.3.1 Kerberos ??
4.3.2 Kerberos V4
4.3.3 Kerberos V5
4.3.4 Kerberos ??
19. Kerberos ?? Kerberos ???????Athena ?????????????
????UNIX??????????????????:
??????,???????????
????????????
??????,??????????????
??Needham-Schroeder????,?????
??????????,??????????????, ?????????
20. Kerberos ?????? ?????????
???????????
Kerberos V4
Kerberos V5
21. ????????? C?V????AS???,????KC,KV
(1) C ?AS : IDc || Pc ||IDV
(2) AS?C : Ticket
(3) C ?V : IDc || Ticket Ticket=EKv(IDc|| ADc || IDv)
22. ???????????
23. ????
??????(Ticket Granting Service)
??(Ticket)
????????,?tgs ? ??????????
TGS ??
????
??:
24. ???????????(Cont.) ???:??????tickettgs????
????,?????????
????,??????????
???:
??????????
????
????????(Session Key)
25. Kerberos V4 ?????
26. Kerberos V4 ?????
27. Kerberos V4 ?????(2) 2. TGS????,??????Ticketv
(3)???????????,????????????,???Tickettgs ??????????????????????TGS
C ? TGS : IDV || Tickettgs || Authenticatorc
Authenticatorc = EKc,tgs[IDc||ADc||TS3]
Tickettgs = EKtgs[Kc,tgs|| IDC|| ADC|| IDtgs || TS2 || Lifetime2]
(4) TGS???????????,????,??????????Ticket v
TGS ? C : EKc,tgs[Kc,v || IDV || TS4 || Ticketv]
Ticketv = EK v[ Kc,v||IDC||ADC|| IDv||TS4||Lifetime4]
28. Kerberos V4 ?????(3) 3. ???/???????:????
(5)???????????????
C ?V : Ticketv || Authenticatorc
Ticketv = EK v [Kc,v||IDc||ADc||IDv||TS4||Lifetime4]
Authenticatorc = EKc,v[IDc||ADc||TS5]
(6)???????Ticketv????????,?????????????????,??????????
V ?C : EKc,v [TS5+1]
29. ??????????
30. ??????????
31. Kerberos Version 5 ??version 4 ?????
???????: ????DES
Internet?????: ????IP
??????
Ticket????
Authentication forwarding
Inter-realm authentication
???Kerberos V4???
???????
CBC-DES??????PCBC????
????????????
????????????
32. Kerberos ??? ??????????
??????
?????????,????????????
33. ?? 4.1 ????????
4.2 ?????????
4.3 Kerberos ??????
4.4 ??X509?????
4.5 ???????????
34. 5.4 ??X509??????? 5.4.1 X509 ????
5.4.2 X509??
5.4.3 ???????????
5.4.4 ????????
35. X509 ???? Certificate Authority
????
Registry Authority
??????????
Directory
??????????
???????
????
????????
????????
36. ?????
37. ????? ????
CA<<A>> = CA {V,SN, AI, CA, TA, A, Ap}
Y<<A>> ?? ??????Y ????X???
Y{I} ??Y ?I ???,?I ??Y???????????
??????
????CA???????????????
??CA??,?????????????
38. ????? ????(One-Way Authentication)
39. ????? ????(Two-Way Authentication)
40. ????? ????(Three-Way Authentication)
41. ???????? ??A ??????X2???,?????B??? X2<<B>>????
CA???????
A??B?????: X2<<B>> , X1<<X2>>
42. ?? 5.1 ????????
5.2 ?????????
5.3 Kerberos ??????
5.4 ??X509?????
5.5 ???????????
43. 5.5.1 ?????? ?????????????
??,???,??,????????????????
??
??????????????????;
????????????????????:????,????;
?????
?????,??,????;
?????????? ;
?????(????,?????)?????????
44. ??????(?) ?????
??????????????????;
????
????????????????????;
?????????,??,??,??,??????;
????
???????????,????????????????,???????????????
????
??????????,??,??,????????
45. ??????(?) ????
???????????????;
??????
46. 5.5.2 ?????????????? ?????:?????(FRR)?
?????:?????(FAR)?
?????(CER):FRR=FAR????
CER???????????
47. ?? ???????
??/??????
Kerberos ????
X509?????????
48. ?? ???????????????,??????
?DES,RSA??????????/?????????
Server/Client??????:
DES: Client ?Server??????Kc
RSA: ????KU, ???? KR
Client : ( KUc , KRc ) , Server: ( KUs , KRs)
Client ??KUs, Server ?? KUc
49. ?? ?????????????,???Kerberos ?X509??????????????????,?????????
?????????????????
?????
??????????