摘要
Kerberos是由MIT的Athena計畫發展出來的分散式身份認證系統,提供網域管理的單一認證機制。目前應用於Kerberos的身份認證是使用密碼(password)認證的機制。使用者的密碼主要是用來產生加密用的金鑰(session key)。然而有許多的攻擊方法可以有效地在短時間之內將使用者的密碼搜尋出來:例如字典攻擊法(dictionary attack)與離線(off-line)的攻擊。Kerberos系統在防範重送攻擊的處理上,使用了時間戳記(Timestamps)的方式,同樣會衍生出系統時序同步化(synchronization)與連線被盜用的問題。在KerberosV5中新增加入Preauthentication的選項,以強化密碼認證的漏洞。許多的Strong password authentication protocol,例如SRP、SPEKE或EKE等等,皆設計出抵抗off-line的攻擊,以及防止密碼資料庫被洩露,而造成假冒使用者的安全問題。 在本論文中,我們提出一個架構於Kerberos系統的身份認證,結合Strong password authentication protocol與one time password的技術,對Kerberos的身份認證與時間戳記的部份做改進。
並列摘要
Kerberos,developed at MIT,has been used to handle domain-wide user authentication across an insecure network. Currently, Kerberos identify client with users'' passwords. Although it has been known that Kerberos is vulnerable to offline attack. Meanwhile,Kerberos uses an encrypted timestamp to verify the freshness of messages and prevent replay attack. However, it would suffer from stolen live connection and from problem of synchronization. In this paper, we propose a new authentication scheme on Kerberos for repairing these security hole with strong password authentication protocol such as SRP,SPEKE and EKE. Furthermore, we use one time password scheme to improve the weakness mentioned above.
參考文獻
S. M. Bellovin and M. Merritt. Encrypted key exchange: Password-based protocol secure against dictionary attacks. In Proceedings of the 1992 IEEE Computer Society Conference on Research in Security and Privacy, pages 72-84, 1992.
S. M. Bellovin and M. Merritt. Augmented encrypted key exchange: A password-based protocol secure against dictionary attacks and password file compromise. Technical report AT&T Bell Lab, 1994.
D.E. Denning and G.M. Sacco. Timestamps in Key Distribution Protocols. Communication of the ACM, August 1981.
Netscape Inc. Secure Socket Layer. http://www.netscape.com/
D. Jablon. Strong password-only authentication key exchange. Computer Communication Review, 26(5):5-26,October 1996.
被引用紀錄
李志潘(2008)。基於浮動密碼典加密法之應用模擬〔碩士論文,亞洲大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0118-0807200916285473
延伸閱讀
- 郭文中、朱育萱(2010)。無需驗證表的多伺服器認證協定之安全性分析與改良。載於中華民國資訊安全學會(主編),全國資訊安全會議(頁151-156)。中華民國資訊安全學會。https://doi.org/10.29615/CISC.201005.0151
- 黃信富(2010)。使用非對稱式密碼增強會議初始協定認證機制〔碩士論文,國立暨南國際大學〕。華藝線上圖書館。https://doi.org/10.6837/NCNU.2010.00127
- Chi, P. W. (2016). 近代非對稱密碼系統之可否認化技術 [doctoral dissertation, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU201601734
- Emam, E. E., Koutb, M., Kelash, H., & Faragallah, O. S. (2011). An Authentication Protocol Based on Kerberos 5. International Journal of Network Security, 12(3), 159-170. https://doi.org/10.6633/IJNS.201105.12(3).05
- Tbatou, Z., Asimi, A., Asimi, Y., Sadqi, Y., & Guezzaz, A. (2017). A New Mutuel Kerberos Authentication Protocol for Distributed Systems. International Journal of Network Security, 19(6), 889-898. https://doi.org/10.6633/IJNS.201711.19(6).04