Kerberos认证系统的研究与改进

Kerberos是为TCP/IP网络设计的基于Client/Server模式的三方验证协议,广泛应用于Internet服务的访问,网络中的Kerberos服务起着可信仲裁者的作用。Kerberos基于对称密码体制,可提供安全的客体认证。本文针对结合Kerberos认证协议由对称算法所带来的局限性,在保持原有协议框架的基础上,利用公开密钥算法RSA对Kerberos协议进行一定的改进。     

Kerberos与盲签名的结合

提出了Kerberos与广泛应用于电子现金中的盲签名技术结合的想法，并具体给出了一个初步的实现方案，不仅加强了Kerberos的安全性，更重要的是为用户提供了服务的匿名性，某种程度上保证了用户的隐私。同时提出了Kerberos与电子现金系统结合的思想方法。     

基于Kerberos的移动Ad-hoc网络安全认证方案

提出了基于Kerberos的移动Ad-hoc网的安全认证机制KADH，它继承了传统Kerberos系统中一些在Ad-hoc网络环境中实用的特性。同时针对结点的移动性和简短性，引入了复制、选择和校验机制确保了连接的安全性，同时使来自网络内部的恶意攻击的危险性降到最低。     

利用ElGamal算法改进Kerberos协议

针对Kerberos认证协议由对称算法所带来的局限性,国内外已有很多人用以RSA算法为代表的公钥体制对Kerberos协议进行了改进.本文选用ElGamal算法来修正Kerberos协议,一箭双雕,不仅继承了先行者们的研究成果,而且彻底解决Kerberos可能窃听通信双方会话的问题.因此,更具安全性、实用性.     

B/S架构的单点登录系统模型

为了满足企业的具体应用集成需求,提出了一种B/S架构的单点登录模型,并讨论了密码同步的解决方案。该模型采用活动目录、ActiveX插件和Kerberos认证,将传统的C/S遗留应用(包括标准Windows应用、 FTP 和Telnet等)和Web应用集成到B/S模式下,用户通过IE浏览器调用具体的应用,提高了企业应用的可用性和可管理性,增强了用户访问的安全性.     

基于混合体制的Kerberos身份认证协议的研究

对Kerberos身份认证协议方案进行了详细的分析,针对Kerberos协议本身存在的局限性,从系统安全性和实际执行性能角度出发,提出了一种混合加密体制的Kerberos改进协议。并且解决了Kerberos认证协议可能存在窃听通信双方会话的问题,从而防止内部攻击。     

Kerberos在活动目录域林模型中的应用研究

在开放的网络环境中,Kerberos是一种被广泛应用的认证系统,各种服务程序都可利用它来验证用户的身份。在分析Kerberos协议的基础上,深入研究了Kerberos在微软活动目录域林模型中的应用,并给出了在企业中部署活动目录时进行优化的一些建议。     

一种单点登录协议的设计

Kerberos单点登录协议存在口令猜测、重放攻击、缺乏认证等安全问题,该文以Kerberos协议为基础,设计一种新的单点登录协议,该协议修改了Kerberos协议的框架,引入一次性口令和授权服务机制,解决了Kerberos协议存在的问题,提供一种更安全、且扩展性强的单点登录协议。     

单点登录技术在SAP—ERP中的应用

为了在多个应用系统中,用户只需登录一次就可以访问所有相互信任的应用系统,本文用基于Windows域服务器验证方式完成了SAP ＆ ERP Portal系统单点登录技术方案。     

A Unified User Management System

ABSTRACT

As open source software has gained in popularity throughout the last decades, free operating systems (OSs) such as Linux (Torvalds) and BSD derivatives (i.e., FreeBSD, 2012; NetBSD, 2012 NetBSD Foundation. (2012). The NetBSD project. Available from http://netbsd.org (http://netbsd.org)  [Google Scholar]; OpenBSD, 2012 OpenBSD. (2012). OpenBSD. OpenBSD. Available from http://netbsd.org (http://netbsd.org)  [Google Scholar]) have become more common, not only on datacenters but also on desktop and laptop computers. It is not rare to find computer labs or company offices composed of personal computers that boot more than one operating system. By being able to choose among available OSs, a company's or organization's information technology manager has the freedom to select the right OS for the company's needs, and the decision can be based on technical or financial criteria. This freedom of choice, however, comes with a cost. The administrative complexity of heterogeneous networks is much higher compared to single OS networks, and if the network is large enough so that protocols such as LDAP (Zeilenga, 2006 Zeilenga, K. 2006. Lightweight directory access protocol (LDAP): Technical specification road map et. alTech. rep., RFC 4510, June [Google Scholar]) or Kerberos (Kohl & Neuman, 1993 Kohl, J. and Neuman, C. 1993. The Kerberos network authentication service (v5) Tech. rep., RFC 1510, September[Crossref] , [Google Scholar]) need to be adopted, then the administration burden may become unbearable. Even though some tools exist that make user management of heterogeneous networks more feasible (Tournier, 2006 Tournier, J. (2006). smbldap-tools – summary [Gna!]. In Welcome to Gna! http://gna.org/projects/smbldap-tools (http://gna.org/projects/smbldap-tools)  [Google Scholar]; Chu & Symas Corp., 2005 Chu, H. and Symas Corp. (2005) http://www.openldap.org/devel/cvsweb.cgi/~checkout~/contrib/slapd-modules/smbk5pwd/README (http://www.openldap.org/devel/cvsweb.cgi/~checkout~/contrib/slapd-modules/smbk5pwd/README)  [Google Scholar]), it is not uncommon to use more than one back end for storing user credentials due to OS incompatibilities. In such configurations, the hardest problem to address is credential and account expiration synchronization among the different back ends. This paper demonstrates a platform that tries to mitigate the problem of synchronization by adding an additional, modular, easy to expand layer which is responsible for synchronizing any number of underlying back ends in a secure fashion.