Kerberos Learning Notes

recently debugging the SSO feature of the VMware Identity Manager product at Work , there is an opportunity to gain insight into how Kerberos works, and to document the essays for future review.

What is Kerberos, see wiki-https://en.wikipedia.org/wiki/kerberos_ (Protocol). Simply stated , Kerberos is a network authentication protocol that provides secure authentication between clients and server programs by using secret key encryption. For example, the system authentication process after Microsoft Windows2000 is based on Kerberos .

Why call Kerberos,the Legend of Kerberos is the Greek myth of The Guardian hell of a big dog with three heads, seemingly in the first Harry Potter < Harry Potter and the Philosopher's Stone > also has a three-headed dog. Three headers represent the three- party, Client,server, and KDC in the Kerberos protocol.

650) this.width=650; "Src=" Http://s4.51cto.com/wyfs02/M00/89/EC/wKiom1ghg_fhw6eWAABNLqqv6FU131.jpg-wh_500x0-wm_3 -wmp_4-s_2507210671.jpg "title=" kerberos1.jpg "alt=" Wkiom1ghg_fhw6ewaabnlqqv6fu131.jpg-wh_50 "/>

photo Source: http://mccltd.net/blog/?p=1053

on-line Kerberos Protocol introduced a lot of,http://blog.csdn.net/wulantian/article/details/42418231 This blog is to speak more thorough and deep, However, reading down is probably more burning brain, a long time I am afraid to forget. the introduction to Kerberos in this article is done in a simple example to help you understand the way Kerberos is authenticated in a broad sense , and it differs from the specifics of the protocol.

We assume a scene, the war era, there are two underground workers Zhang San, John Doe is sent to a place to engage in secret work, now Zhang San because of job needs, found a pub cover identity of the tavern boss John Doe, Zhang San now to do, is to Lee four prove I was Zhang San, not fishing law enforcement, This is a typical certification process.

How do we do that? Zhang San, John Doe's sending agency has already designed the certification process for them, where the sending agency is the KDC in the Kerberos protocol, such as Microsoft's AD domain server. Before the two people leave, sent to each person a key ( corresponding user password or password hash value ), the sending agency also retained a backup key (AD domain Server holds the password or password of each domain user) hash value ). Zhang San, the John Doe corresponds to the client and server respectively .

1. Zhang Three should report to the sending agency: I want to and John Doe Connector, give me a connector code BAI.

2. the sending agency received Zhang three to and John Doe Connector request, then sent two small boxes to Zhang San, and on the lock, only two people's own key to open.
In the first box there was a note that said the connector code: Pagoda Town River Demon . Zhang San's key can open this box.
in the second box there are two pieces of paper, a note is also written in the connector code : Pagoda Town River Demon . The second note reads: The bearer is Zhang San.

3. after Zhang San received two small boxes, he opened the first small box with his key, and saw the connector code: Pagoda Town River Demon .

4. then Zhang San took the second box to find the saloon's Li Four, see John Doe, Zhang San the second box to John Doe, and said the connector code: Pagoda Town River Demon , and claimed to be Zhang San.

5. John Doe with his own key opened Zhang San brought him box, see the Connector code is Pagoda Town River Demon . And then saw another note that said the bearer was Zhang San. Well, it's all right. He's Zhang San, so now let's drink the wine, and we'll talk about the next step of the work schedule.

This example is used to tell The basic principle of Kerberos, of course, is that the Kerberos protocol is much more complex than this example. So you do not seriously, if I lost the key how to do, someone put a small box off a bag and so on, how to do? These are the problems that the Kerberos protocol is going to solve, and you need to see the details of the Kerberos protocol yourself.

about theSam Zhao,EUCSolution Department Manager. In software development, testing, project management -yearsITexperience, five patents and one

This article is from the "VMware End User Computing" blog, reproduced please contact the author!

Kerberos Learning Notes