基于PKI体系的跨域密钥协商协议

基于口令的跨域密钥协商协议和Kerberos协议无法抵抗口令猜测攻击,在金融、航天等通信安全需求高的场所,需要一种更有效的协议来保证通信安全。给出一种新的基于PKI体系的跨域密钥协商协议,采用公钥算法保证数据传输的安全,结合使用Diffie-Hellman协议生成会话密钥。协议有效地解决了利用预置共享密钥参与加/解密实施中间人攻击,以及Kerberos弱口令导致的攻击者可以实施口令猜测攻击的问题。跨域通信的公钥信息仅存储在各自域认证服务器,域内用户不需要配置跨域服务器的公钥信息,降低了配置复杂度、域内用户和域认证服务器之间密钥管理的复杂性,同时提高了域服务器鉴别身份的能力和信息机密性,使其免疫多种攻击,具有良好的前向安全性和扩展性。

Cross-domain PKI-based Key Agreement Protocol

It has been proven that security risks exist in most of the password-based cross-domain authentication and key agreement protocols or Kerberos protocol.It is necessary to propose a more effective protocol to ensure the communi-cating security in the area of finance and aerospace,which require high level communicating security.This paper proposed a cross-domain PKI-based key agreement protocol.This protocol can efficiently solve the key exposure problem in which the password guessing and man-in-the-middle attack is enabled.This problem is resulted from using share-key encryption and decryption to assure the security of data transmission or Kerberos weak passwords.To solve this pro-blem,this protocol adopts the public key algorithm and uses the Diffie-Hellman protocol to create the session key.Meanwhile,this protocol makes users get rid of repetitive configuration of the cross-domain server public key information,which reduces the complexity of the configuration and the key management between users and servers.Besides,this protocol improves the ability to identify authenticity and the information confidentiality,and is immune to multiple attacking ways.This protocol also has forward security and good expansibility.