Kerberos认证系统的研究与改进
详细信息    本馆镜像全文|  推荐本文 |  |   获取CNKI官网全文
摘要
随着Internet的飞速发展,网络安全的地位日益突出。网络的安全措施应是
    能全方位地针对各种不同的威胁,这样才能确保网络信息的保密性、完整性和
    可用性。作为安全服务中的一种——实体认证尤为重要。
    在一个公开的分布式网络环境中,工作站上的用户希望访问分布在网络上
    的服务器资源。但网络上的资源仅允许授权用户的特定权限的访问,因此,在
    分布式网络中,必须提供一种机制来对用户的身份进行认证。
    Kerberos是为TCP/IP网络设计的基于Client/Server模式的三方验证协议,
    广泛应用于Internet服务的访问,网络中的Kerberos服务起着可信仲裁者的作
    用。Kerberos基于对称密码体制,可提供安全的客体认证。本文结合
    Diffie-Hellman公开密钥算法,并分析了Diffie-Hellman算法的中间人攻击,拟
    对Kerberos协议进行一定的改进,解决Kerberos利用其产生的会话密钥解密通
    信双方的密文消息,但无从对其举证的问题。
Along with the rapid development of Internet,the position of network security is increasingly outstanding. Safety precautions of network should be contrapose all kinds of menace, then can insure the confidentiality, integrality, usability of the network information. As a kind of safety service -- the Identification of entity is more particular importance.
    In an exoteric distributed network environment, the customer on the work station hope visits to the network resources of distribute in the servers on. But the resources on the network only to the accessing of the particular power of the authorized client, therefore, in distributed network, must provide a kind of mechanism to authenticate Identification of client.
    Kerberos is three-side indentical protocol for TCP/ IP network designs according to the mode of Client/Server, It is widely used in the accessing the Internet and acts as the reliable arbitrator. Kerberos, which is based on symmetric key crytosystem, provides safe authentication to client. This thesis combines the Diffie-Hellman public key algorithm and analyzes the Man-in-the-middle-attack of Diffie-Hellman, with the purpose to improve the Kerberos protocol, solving the problem of that Kerberos uses the key of conversation to analyze and see the information from two communicating sides, which cannot be confirmed by examples.
引文
[1]Bruce Schneier著,吴世忠等译《应用密码学:协议、算法与C源程序》机械出版社2001.1
    [2]Andrew S.Tanenbaum著,熊桂喜、王小虎等译 《计算机网络》第三版,清华大学出版社1997.7
    [3]关振胜著 《公钥基础设施PKI与认证机构CA》 电子工业出版社2002.1
    [4]李成斌、熊华平、刘万伟《用Kerberos实现网络计算的安全认证》,《计算机系统应用》1999.第10期:24—26
    [5]李巍、李伟琴 《网络用户认证系统Kerberos的原理与应用》,《微型计算机》NO.3,Vol.17,1997:1—5
    [6]Shamir A.Identity-based cryptosystem and signature schemes. (C)In Proc. Crypto'84. Santa Barbara, CA: Springer-Verlag, 1984.47~53
    [7]http://www.sada.com.cn/view.php?id=1000279&k=教育+WEBST
    [8]http://www.netfront.com.cn/attention/index/nous 004.htm
    [9]李鑫晶《关于网络安全中身份认证技术的探讨》,《科技进步与对策》8月号2002:158-161
    [10]http://www.radyinfo.com/knowledge/des.htm DES 加密技术
    [11]http://www.microsoft.com/china/security/bestprac/ch11 ce.asp
    [12]唐韶华、马为华《基于EIGamal数字签名的用户鉴别方案》(J)《小型微型计算机系统》NO.1,Vol.21,2000:95~97.
    [13]王国兵、杨建沾、谢贵《Kerberos协议的改进》,《武汉大学学报(自然科学版)》Vol.45,No.3,1999:307—310
    [14]刘克龙、卿思汉、蒙杨《一种利用公钥体制改进Kerberos的方法》,《软件学报》Vol.12,No.6,2001:872—877
    [15]戚文静、姚青《基于Kerberos的企业网安全模型》,《计算机工程与应用》2002.13:169—172
    [16]Elgamal T. A public key cryptosystem and a signature scheme based on discrete logarithms. (J) IEEE Trans on Info Theory, 1985,31 (4):469~472
    [17]http://www.china-pub.com/computers/emook/0745/info.htm 关于RSA公开密钥算法
    [18]王晓刚、卢强华《Kerberos认证系统的分析与改进》,《武汉科技学院学报》Vol.15,N0.5,2002:95—98
    
    
    [19] http://www.china-pub.com/computers/emook/1186/info.htm 关于Kerberosr
    [20] William Stallings著《网络安全要素—应用与标准》,潇湘工作室译,人民邮电出版社,2000。11
    [21] 匿名著《网络安全技术内幕》,前导工作室译,机械工业出版社,1999.4
    [22] 冯登国著《密码分析学》,清华大学出版社,2000.8
    [23] 卢开澄著《计算机密码学—计算机网络中的数据保密与安全》,清华大学出版社,1998.7
    [24] 卿思汉著《密码学与计算机网络安全》,清华大学出版社,2001,1
    [25] S.Burnett,Spaine著,冯登国,周永彬等译,《密码工程实践指南》,《清华大学出版社》,2000.5
    [26] 高鹏、严望佳著《UNIX系统安全》,清华大学出版社,1999.6
    [27] TsujiiS,Itoh T. An ID-based cryptosystem based on the discrete logarithmproblem. (J) IEEE J Select Areas Commun, 1989, 7(4):467~473
    [28] http://www.chinaitlab.com/www/special/firewall.asp
    [29] http://www.cyphercalc.com/math/index.htm
    [30] ShamirA Identity-based cryptosystem and signature schemes.(C)In Proc. Crypto'84. Santa Barbara, CA:Springer-Verlag, 1984.47~53
    [31] http://www.863cims.net/CIMSForum/wwwboard11/messages/101.html:Kerberos:面向开放式网络的认证服务
    [32] http://web.mit.edu/kerberos/www/Kerberos TheNetwork Authentication Protocol
    [33] http://www. contrib.andrew, cmu.edu/~shadow/kerberos.html
    [34] Okamcto E, Tanaka K. Key distribution system based on identification information. (J) IEEE J Select Areas Commun,1989,7(4):481~485
    [35] Willialn Stallings著,杨明、胥光辉等译《密码编码学与网络安全:原理与实践(第二版)》电子工业出版社,2001,4
    [36] Harn L, Yang S B. ID-based cryptographic schemes for user identification,digital signature, and key distribution. (J) IEEE J Select Areas Commun, 1993,11(5):757~760
    [37] James Stanger,Patrick T.lane著,钟日红等译《Linux黑客防范—开放源代码安全指南》,机械工业出版社,2002.2
    [38] http://www.fanwang.net/wljs/f8.html VPN技术详解
    [39] 崔培枝、王朝君、刘海燕《Kerberos认证技术的研究分析》,《计算机与现代化》,2001.5:35-40
    
    
    [40]秦小龙、杨义先《USB密码钥及其在Kerberos系统中的应用》,《计算机工程与应用》2002.05:12-15
    [41]赵春晖《在IKE引入Kerberos服务》,《计算机工程》,Vol.28,No.3,2002:132-133
    [42]秦学俊、敬忠良、张骏、戴冠中《基于椭圆曲线离散对数问题的公钥密钥》,《计算机工程与应用》,2002.第6期:20-22
    [43]李产麟、郭宝安《破译RSA能力的零知识证明的改进方案》,《计算机工程与应用》,2002.第9期99-100
    [44]苏桂平、口述望、程志蓉《口令的安全分析及真随机数在金融安全中的应用》,《计算机工程与应用》,2002.第8期140-141
    [45]徐佳、荆继武《实现IPSec的一种方案》,《计算机工程》,Vol.28,No.1 2002:177-179
    [46]G. Horng and C.S.Yang. Key authentication scheme for cryptosystems based on discrete logarithms. Computer Communications, 1996,(19). 848~850
    [47]S. M. Bellovin and M. Merritt. Limitations of the kerberos authentication system. In Proceedings of the Winter 1991 Usenix Conference, January 1991
    [48]G. Gaskell and M.Looi. Integrating Smart Cards into Authentication Systems. Advances in Cryptology EUROCRYPT 1995 Proceedings, Berlin:SpringVerlag, 1995:271~281
    [49]D. Davis,Complance Defects in Pulic-key Cryptography, 6th USENIX Security Symposium