Kerberos是由MIT的Athena計畫發展出來的分散式身份認證系統,提供網域管理的單一認證機制。目前應用於Kerberos的身份認證是使用密碼(password)認證的機制。使用者的密碼主要是用來產生加密用的金鑰(session key)。然而有許多的攻擊方法可以有效地在短時間之內將使用者的密碼搜尋出來:例如字典攻擊法(dictionary attack)與離線(off-line)的攻擊。Kerberos系統在防範重送攻擊的處理上,使用了時間戳記(Timestamps)的方式,同樣會衍生出系統時序同步化(synchronization)與連線被盜用的問題。在KerberosV5中新增加入Preauthentication的選項,以強化密碼認證的漏洞。許多的Strong password authentication protocol,例如SRP、SPEKE或EKE等等,皆設計出抵抗off-line的攻擊,以及防止密碼資料庫被洩露,而造成假冒使用者的安全問題。 在本論文中,我們提出一個架構於Kerberos系統的身份認證,結合Strong password authentication protocol與one time password的技術,對Kerberos的身份認證與時間戳記的部份做改進。
Kerberos,developed at MIT,has been used to handle domain-wide user authentication across an insecure network. Currently, Kerberos identify client with users'' passwords. Although it has been known that Kerberos is vulnerable to offline attack. Meanwhile,Kerberos uses an encrypted timestamp to verify the freshness of messages and prevent replay attack. However, it would suffer from stolen live connection and from problem of synchronization. In this paper, we propose a new authentication scheme on Kerberos for repairing these security hole with strong password authentication protocol such as SRP,SPEKE and EKE. Furthermore, we use one time password scheme to improve the weakness mentioned above.