KERBEROS5 Authentication Protocol

&http://www.aliyun.com/zixun/aggregation/37954.html ">nbsp; The term Kerberos is derived from the Greek myth "three-headed dog-keeper of the Gates of Hell"

Kerberos is a network authentication protocol designed to provide a strong authentication service for client/server applications through a key system. The implementation of the authentication process does not depend on the authentication of the host operating system, requires no trust based on the host address, does not require the physical security of all hosts on the network, and assumes that packets transmitted on the network can be arbitrarily read, modified, and inserted into the data. In the above case, Kerberos, as a trusted Third-party authentication service, performs authentication services through traditional cryptography techniques such as shared keys.

The authentication process is as follows: The client sends a request to the authentication server (as), requests a certificate from a server, and then the response of as contains these certificates encrypted with the client key. The composition of the certificate is: 1 server "Ticket"; 2) a Temporary encryption key (also known as session key "Sessions key"). The client transmits the ticket (including the client identity encrypted with the server key and a copy of the session key) to the server. Session keys can be used (now shared by both client and server) to authenticate clients or authentication servers, or to provide cryptographic services for subsequent communication between the two parties, or to provide further communication encryption services for both parties by exchanging independent child session keys.

The authentication exchange process above requires read-only access to the Kerberos database. Sometimes, however, records in a database must be modified, such as when a new rule is added or a rule key is changed. The modification process is accomplished through the protocol between the client and the third party Kerberos server (Kerberos manager kadm). The management agreement is not described here. There is also a protocol for maintaining copies of multiple Kerberos databases, which can be considered a detail issue in the execution process and will be constantly changing to accommodate various database technologies.

Protocol structure

Kerberos Information:

* Client/server Authentication Exchange

<

Information Direction Information type

Client to Kerberos Krb_as_req

Kerberos to client Krb_as_rep or Krb_error

* Client/server Authentication Exchange

Information Direction Information type

Client Krb_ap_req to Application server

The optional Application server Krb_ap_rep or Krb_errorr to the client

* Ticket Granting Service (TGS) Exchange

Information Direction Information type

Client to Kerberos Krb_tgs_req

Kerberos to client Krb_tgs_rep or Krb_error

* Krb_safe Exchange

* Krb_priv Exchange

* Krb_cred Exchange

Kerberos is the MIT for Athena (Athena) program development of the certification system.

The composition of Kerberos:

Kerberos Application Libraries: application interfaces, including the creation and reading of authentication requests, and the creation of a subroutine for safe message and private message.

Encryption/Jiamiku: DES, etc.

Kerberos database: Information such as the name of each Kerberos user, the private key, the cutoff information (the valid time of the record, usually a few years) is recorded.

Database Manager: Manages the Kerberos database KDBM server (database Management Server): accepts requests from clients to manipulate the database.

Authentication Server (AS): A read-only copy of a Kerberos database that is used to complete principle authentication and generate session keys.

Database replication software: Management of the database from the KDBM service machine, to the authentication server in the machine copy work, in order to maintain the consistency of the database, every once in a while to replicate the work.

User program: Login kerberos, change Kerberos password, display and destroy Kerberos label (ticket) and so on work.

The KERBEROS5 authentication protocol is implemented on the Microsoft Windows Server 2003 operating system. Windows Server2003 always uses the extended public key authentication mechanism. The Kerberos authentication client implements authentication as an SSP (Security Support Provider) by accessing the SSPI (Security Support Provider Interface). The user authentication initialization process is integrated into the Winlogon SSO (single Sign-On) system.