Can the TGS server be removed from the Kerberos authentication protocol?

Source: Internet
Author: User

The Kerberos protocol was first proposed by MIT and is an identity authentication protocol.

Application scenarios:In an open environment, if a Workstation user wants to request various services distributed in the network through the network, the server can only provide services to authorized users, and can identify the types of service requests.

Principles of Kerberos protocol:Kerberos provides a centralized authorization server to authenticate the server and the server to authenticate the user, rather than providing detailed authentication protocols for each server.

Kerberos term:

Client: user.

As: the authentication server, you can query the database to determine the user's password, so as to issue a ticket authorization ticket to the user.

Service: the server of a service.

Ticket (TGs): the ticket authorization ticket issued by as to the client.

Ticket (Service): the service authorization ticket that TGS issues to the client.


Kerberos protocol interaction diagram:


Q &:

Q:Can the TGS server be removed from the Kerberos authentication protocol? (We can see that the role of the TGS server is to issue ticket (service) to clients with ticket (TGs). Can I omit TGS? Certainly not .)


A:If you remove the TGS server, we can consider the following two aspects:

(1) The role of TGS appears to be to issue bills to users for each service, but the underlying reason is that, to prevent the client from entering a new password every time it applies for a service. If TGS is removed, as must assume the role of TGS. The as server not only needs to judge the client password, but also issues the client with the ticket authorization ticket, and also needs to play the role of TGS, determine a user's ticket authorization ticket and issue a service authorization ticket to each service. What if we not only remove TGS, but also remove the role of TGS? In this case, the as needs to judge the user's identity every time, and the user needs to re-enter the password every time, it will lose the meaning of the existence of Kerberos, it can be said that the existence of TGS is the key to the role of Kerberos.

(2) Remove the TGS so that the as not only plays the original role, but also has the role of the TGS, isn't it better? In fact, this will not bring about the essential difference, because as and TGS can be regarded as one, because as and TGS constitute a Kerberos server.


Kerberos ApplicationConsiderations:

The Kerberos protocol is relatively cumbersome. To obtain a service ticket, you must first enter a password, get the as authentication, get the ticket, then get the TGS authentication, then get the ticket, and then get the server authentication, to receive services, and the interaction steps are slightly complicated.

However, in reality, users do not actually feel it, because they only need to enter the password, and the subsequent steps are completed by the client on the user's workstation, without the user's participation, therefore, it is very convenient for users. In addition, when requesting other services in Kerberos, you do not need to enter a password, and you do not need to perform any tedious operations to get authentication and service access. The user experience is even better.


TIPS:

(1) Kerberos only relies on the symmetric encryption system without using the public key encryption system.

(2) The Kerberos protocol-based trusted third-party authentication server (TGs). Therefore, the security of the authentication server depends on the security of the Kerberos server.

(3) Any Security Authentication solution that wants to learn from Kerberos ideas must ensure that the entity playing the role of TGS is absolutely safe.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.