计算机工程
計算機工程
계산궤공정
COMPUTER ENGINEERING
2015年
5期
144-148
,共5页
Kerberos协议%单点登录%公钥加密%重放攻击%序列号%随机数%密钥链
Kerberos協議%單點登錄%公鑰加密%重放攻擊%序列號%隨機數%密鑰鏈
Kerberos협의%단점등록%공약가밀%중방공격%서렬호%수궤수%밀약련
Kerberos protocol%single sign-on%public key encryption%replay attack%sequence number%random number%key chain
对传统Kerberos协议的安全性进行分析,提出一种改进协议。利用公钥加密私钥解密体制,解决口令猜测攻击以及对称密钥存储复杂的问题。为避免请求资源的消息被攻击者截获后进行重放,通过增加消息序列号和发送随机数相结合的方法,使应用服务器能够识别出被攻击者重放攻击和客户端重发的消息。在客户端和应用服务器端都采用非易失性存储器来存储密钥链和消息列表,客户端与资源服务器之间的交互数据都使用密钥链中的密钥代替票据授权服务器颁发的会话密钥进行加密,动态密钥保证消息的完整性,使会话密钥不易被截获。分析结果表明,改进协议能有效提高系统的安全性。
對傳統Kerberos協議的安全性進行分析,提齣一種改進協議。利用公鑰加密私鑰解密體製,解決口令猜測攻擊以及對稱密鑰存儲複雜的問題。為避免請求資源的消息被攻擊者截穫後進行重放,通過增加消息序列號和髮送隨機數相結閤的方法,使應用服務器能夠識彆齣被攻擊者重放攻擊和客戶耑重髮的消息。在客戶耑和應用服務器耑都採用非易失性存儲器來存儲密鑰鏈和消息列錶,客戶耑與資源服務器之間的交互數據都使用密鑰鏈中的密鑰代替票據授權服務器頒髮的會話密鑰進行加密,動態密鑰保證消息的完整性,使會話密鑰不易被截穫。分析結果錶明,改進協議能有效提高繫統的安全性。
대전통Kerberos협의적안전성진행분석,제출일충개진협의。이용공약가밀사약해밀체제,해결구령시측공격이급대칭밀약존저복잡적문제。위피면청구자원적소식피공격자절획후진행중방,통과증가소식서렬호화발송수궤수상결합적방법,사응용복무기능구식별출피공격자중방공격화객호단중발적소식。재객호단화응용복무기단도채용비역실성존저기래존저밀약련화소식렬표,객호단여자원복무기지간적교호수거도사용밀약련중적밀약대체표거수권복무기반발적회화밀약진행가밀,동태밀약보증소식적완정성,사회화밀약불역피절획。분석결과표명,개진협의능유효제고계통적안전성。
Some improvements are made based on the analysis of the traditional Kerberos protocol’s security. To solve problems of the password guessing attacks and the complexity of symmetric key storage,public key encryption and private key decryption mechanism is presented in this paper. The new methods of combining the message sequence number with the random number is used to help the application server to distinguish the message replayed by the attacker and the message resent by the legal client,so as to solve the problem that the encrypted request message is seized and replayed by the attacker. Also,in view of the problem that the session key is intercepted,the non-volatile memory is adopted on the client and application server to store the key chain and the message list,and message between client and application server is encrypted by the key in the key chain instead of the session key issued by the Ticket Granting Server ( TGS ) , the dynamic key ensures the integrity of the message. Analysis result shows that the improued protocol can improve the security of the system.