Kerberos protocol:
Kerberos authentication protocol is mainly used for computer network (Authentication), which is characterized by a user only needs to input the authentication information can be verified with this ticket (ticket-granting ticket) to obtain access to multiple services, namely SSO (Single Sign On ). Since the establishment of a shared key between each Client and Service, so that the agreement has considerable security. condition
Let's look at the Kerberos protocol prerequisite:
As shown below, the Client KDC, KDC and Service Agreement prior work has been their shared key, and since the protocol message can not penetrate the firewall, these conditions are limiting the Kerberos protocol is often used within an organization's , it is different from the application scenario X.509 PKI.
Process Kerberos protocol is divided into two parts:
1. Client sends to the KDC own identity information, KDC get TGT (ticket-granting ticket) from the Ticket Granting Service, and with the agreement before the start key between the Client and the KDC TGT encrypted reply to the Client.
At this point only the real key is to take advantage of Client between it and the KDC to decrypt the encrypted TGT to obtain a TGT.
(This process avoids the Client password is sent directly to the KDC, in order to unsafe manner authenticated)
2. Client previously obtained using the other TGT to the KDC request Ticket Service, so that by the identity of other Service identification.
The focus of the second part of the Kerberos protocol is described as follows:
1. Client将之前获得TGT和要请求的服务信息(服务名等)发送给KDC,KDC中的Ticket Granting Service将为Client和Service之间生成一个Session Key用于Service对Client的身份鉴别。然后KDC将这个Session Key和用户名,用户地址(IP),服务名,有效期, 时间戳一起包装成一个Ticket(这些信息最终用于Service对Client的身份鉴别)发送给Service, 不过Kerberos协议并没有直接将Ticket发送给Service,而是通过Client转发给Service.所以有了第二步。
2. 此时KDC将刚才的Ticket转发给Client。由于这个Ticket是要给Service的,不能让Client看到,所以KDC用协议开始前KDC与Service之间的密钥将Ticket加密后再发送给Client。同时为了让Client和Service之间共享那个秘密(KDC在第一步为它们创建的Session Key), KDC用Client与它之间的密钥将Session Key加密随加密的Ticket一起返回给Client。
3. 为了完成Ticket的传递,Client将刚才收到的Ticket转发到Service. 由于Client不知道KDC与Service之间的密钥,所以它无法算改Ticket中的信息。同时Client将收到的Session Key解密出来,然后将自己的用户名,用户地址(IP)打包成Authenticator用Session Key加密也发送给Service。
4. Service 收到Ticket后利用它与KDC之间的密钥将Ticket中的信息解密出来,从而获得Session Key和用户名,用户地址(IP),服务名,有效期。然后再用Session Key将Authenticator解密从而获得用户名,用户地址(IP)将其与之前Ticket中解密出来的用户名,用户地址(IP)做比较从而验证Client的身份。
5. 如果Service有返回结果,将其返回给Client。
总结
概括起来说Kerberos协议主要做了两件事
1. Ticket的安全传递。
2. Session Key的安全发布。
再加上时间戳的使用就很大程度上的保证了用户鉴别的安全性。并且利用Session Key,在通过鉴别之后Client和Service之间传递的消息也可以获得Confidentiality(机密性), Integrity(完整性)的保证。不过由于没有使用非对称密钥自然也就无法具有抗否认性,这也限制了它的应用。不过相对而言它比X.509 PKI的身份鉴别方式实施起来要简单多了。