CN112035820B - Data analysis method used in Kerberos encryption environment - Google Patents
Data analysis method used in Kerberos encryption environment Download PDFInfo
- Publication number
- CN112035820B CN112035820B CN202010712263.0A CN202010712263A CN112035820B CN 112035820 B CN112035820 B CN 112035820B CN 202010712263 A CN202010712263 A CN 202010712263A CN 112035820 B CN112035820 B CN 112035820B
- Authority
- CN
- China
- Prior art keywords
- server
- kerberos
- client
- application
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
- G06F21/335—User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a data analysis method used in a Kerberos encryption environment, and relates to the field of Kerberos encryption and decryption. A data analysis method used in Kerberos encryption environment comprises the following specific steps: the method comprises the steps that a Kerberos server registers an account for an application client and creates a client password, and the Kerberos server registers the account for the application server and creates a server password; the Kerberos server generates a key file according to the client password and the server password to send the key file to the decryption device; the application client generates a communication key; the Kerberos server generates an authentication key and encrypts the authentication key with the client password to generate a first ticket. The invention solves the problem that the communication content between the client and the server cannot be supervised under the Kerberos authentication environment.
Description
Technical Field
The invention relates to the field of Kerberos encryption and decryption, in particular to a data analysis method used in a Kerberos encryption environment.
Background
Kerberos is a network authentication protocol based on symmetric cryptographic implementations. The Kerberos protocol is mainly used for user authentication in important network production environments such as banks, government affairs, telecommunications and the like, and ensures data privacy and integrity by encrypting all connection information, but the traditional auditing mode can not analyze the flow of a client and a server and audit the operation behaviors of a user because the communication protocol is converted from plaintext transmission to ciphertext transmission, which is a great challenge for the security of the server. The invention aims to solve the problems of analysis and audit of the encrypted data by a third party under the Kerberos authentication environment.
Disclosure of Invention
The invention aims to provide a data analysis method used in a Kerberos encryption environment, which can improve the security of a network environment by monitoring data transmission between a client and a server by a third party in the Kerberos encryption environment.
Embodiments of the present invention are implemented as follows:
the embodiment of the application provides a data analysis method used in a Kerberos encryption environment, which comprises a Kerberos server, an application client, an application server and a decryption device, and comprises the following specific steps:
the Kerberos server registers an account for the application client and creates a client password, and the Kerberos server registers an account for the application server and creates a server password;
the Kerberos server generates a key file according to the client password and the server password to send the key file to the decryption device;
the application client generates a communication key; the Kerberos server generates an authentication key, encrypts the authentication key through the client password to generate a first ticket, the Kerberos server sends the first ticket to the application client, the application client decrypts the first ticket through the client password to obtain the authentication key and sends the authentication key to the Kerberos server, and the Kerberos server performs first identity authentication on the application client through the authentication key;
the application client encrypts the communication key through the authentication key to generate an access request of the application server, and sends the access request to the Kerberos server;
the Kerberos server decrypts the access request through the authentication key to obtain the communication key, so that the application client is authenticated for the second time through the communication key, and after the authentication is successful, the Kerberos server encrypts the communication key through the authentication key and the server password in sequence to generate a second bill, and the Kerberos server sends the first bill and the second bill to the application client;
the application client sends the second bill to the application server, the application server decrypts the second bill through the server password to obtain an authentication key, and decrypts the second bill again through the authentication key to obtain the communication key;
the data packets transmitted between the application client and the application server through the Kerberos server are encrypted through the communication key, wherein the application client encrypts the data packets by using the client password, and the application server encrypts the data packets by using the server password;
the decryption device captures the data packet, decrypts the data packet through the client password and the server password to obtain the communication key, and decrypts the data packet by using the communication key.
Compared with the prior art, the embodiment of the invention has at least the following advantages or beneficial effects:
a data parsing method used in Kerberos encryption environment,
the method comprises the following specific steps of:
the method comprises the steps that a Kerberos server registers an account for an application client and creates a client password, and the Kerberos server registers the account for the application server and creates a server password; the Kerberos server generates a key file according to the client password and the server password to send the key file to the decryption device; the application client generates a communication key; the Kerberos server generates an authentication key, encrypts the authentication key through a client password to generate a first bill, the Kerberos server sends the first bill to an application client, the application client decrypts the first bill through the client password to obtain the authentication key and sends the authentication key to the Kerberos server, and therefore the Kerberos server performs first identity authentication on the application client through the authentication key; the application client decrypts the first bill through the client password to obtain an authentication key, encrypts the communication key through the authentication key to generate an access request of the application server, and sends the access request to the Kerberos server; the Kerberos server decrypts the access request through the authentication key to obtain a communication key, so that the application client is subjected to second identity authentication through the communication key, and after the authentication is successful, the Kerberos server sequentially encrypts the communication key through the authentication key and the server password to generate a second bill, and the Kerberos server sends the first bill and the second bill to the application client; the application client sends the second bill to the application server, the application server decrypts the second bill through the server password to obtain an authentication key, and decrypts the second bill again through the authentication key to obtain a communication key; the method comprises the steps that data packets transmitted between an application client and an application server through a Kerberos server are encrypted through a communication key, wherein the application client encrypts the data packets by using a client password, and the application server encrypts the data packets by using a server password; the decryption device captures the data packet, decrypts the data packet through the client password and the server password to obtain a communication key, and decrypts the data packet by using the communication key.
According to the invention, the Kerberos server registers the account for the application client and the application server and respectively creates the account passwords, so that the Kerberos server authenticates the user identity of the application client and the application server by using the account passwords, and the communication security of the application client and the application server is improved; the Kerberos server generates a key file according to the registered account and sends the key file to the decryption device, so that the decryption device can identify whether the source of a data packet transmitted between the application client and the application server is safe or not by using the registered account, and the key file contains encryption information of the Kerberos server, so that the decryption device can decrypt the data packet through the encryption information; the application client generates a communication key of the application client and the application server, so that the safety of communication between the application client and the application server is enhanced; the Kerberos server encrypts an authentication key through an account password to generate a first bill, returns the authentication key to the application client through the first bill, and at the moment, the application client decrypts the first bill through the account password of the client to obtain the authentication key, the application client obtains the authentication key to indicate that the first identity authentication is successful, or else, the authentication key is unsuccessful; the application client encrypts the communication key by the authentication key to generate an access request, and sends the access request to the Kerberos server, so that the authentication key is used as an access credential for accessing the application server, the Kerberos server decrypts the access request by the authentication key to obtain the communication key, and the second identity authentication is successful when the authentication key is correct and the communication key is obtained; the Kerberos server sequentially encrypts the communication key through the authentication key and the server password to generate a second bill, so that the Kerberos server sends the second bill to the application server through the application client, the application server decrypts the second bill through the server password to obtain the authentication key, and decrypts the second bill again through the authentication key to obtain the communication key, and the application server encrypts and decrypts a data packet communicated with the application client through the communication key; the application client encrypts the data packet through the communication key, and the Kerberos server encrypts the data packet through the encryption information and then sends the encrypted data packet to the application server, so that ciphertext transmission is realized through the Kerberos server; the decryption device captures the data packet, decrypts the data packet through the client password and the server password in the key file to obtain the communication key, and decrypts the data packet by using the communication key, so that the decryption device obtains plaintext information by using the communication key in the authentication stage of the application client and the application server, supervision of user operation behavior is realized, and illegal application client or illegal information of the application client is prevented from being transmitted to the application server, thereby protecting the safety of the application server.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a data parsing method for use in a Kerberos encryption environment according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a data parsing system used in a Kerberos encryption environment according to an embodiment of the present invention.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
In the description of the present application, it should also be noted that, unless explicitly specified and limited otherwise, the terms "disposed," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the terms in this application will be understood by those of ordinary skill in the art in a specific context.
Some embodiments of the present application are described in detail below with reference to the accompanying drawings. The various embodiments and features of the embodiments described below may be combined with one another without conflict.
Examples
Referring to fig. 1 to fig. 2, fig. 1 to fig. 2 show a data parsing method for use in a Kerberos encryption environment according to an embodiment of the present application. A data parsing method used in Kerberos encryption environment,
the method comprises the following specific steps of:
the embodiment of the application provides a data analysis method used in a Kerberos encryption environment, which comprises a Kerberos server, an application client, an application server and a decryption device, and comprises the following specific steps:
the Kerberos server registers an account for the application client and creates a client password, and the Kerberos server registers an account for the application server and creates a server password;
the Kerberos server generates a key file according to the client password and the server password to send the key file to the decryption device;
the application client generates a communication key; the Kerberos server generates an authentication key, encrypts the authentication key through the client password to generate a first ticket, the Kerberos server sends the first ticket to the application client, the application client decrypts the first ticket through the client password to obtain the authentication key and sends the authentication key to the Kerberos server, and the Kerberos server performs first identity authentication on the application client through the authentication key;
the application client decrypts the first ticket through the client password to obtain the authentication key, encrypts the communication key through the authentication key to generate an access request of the application server, and sends the access request to the Kerberos server;
the Kerberos server decrypts the access request through the authentication key to obtain the communication key, so that the application client is authenticated for the second time through the communication key, and after the authentication is successful, the Kerberos server encrypts the communication key through the authentication key and the server password in sequence to generate a second bill, and the Kerberos server sends the first bill and the second bill to the application client;
the application client sends the second bill to the application server, the application server decrypts the second bill through the server password to obtain an authentication key, and decrypts the second bill again through the authentication key to obtain the communication key;
the data packets transmitted between the application client and the application server through the Kerberos server are encrypted through the communication key, wherein the application client encrypts the data packets by using the client password, and the application server encrypts the data packets by using the server password;
the decryption device captures the data packet, decrypts the data packet through the client password and the server password to obtain the communication key, and decrypts the data packet by using the communication key.
In detail, the Kerberos server may encrypt data packets via the Kerberos protocol, providing a series of authentication procedures for client and server interactions to ensure that both parties are trusted. The Kerberos server is capable of implementing a variety of encryption algorithms including DES, AES, RSA, etc. The Kerberos server registers the prical account for the application client and the application server by creating an account name and an account password, and the application client and the application server can use different prical accounts. The principal account name and the account password of the registered account can be input or randomly distributed. The application client and the application server can each set up a plurality of accounts, so that each user can use different accounts through the application client.
Optionally, the Kerberos server comprises a KDC key distribution center for managing and distributing all account names and account passwords. The KDC key distribution center registers accounts for the application client and the application server respectively and simultaneously creates a client password and a server password for the respective accounts. The KDC key distribution center is connected with the decryption device through the AP switch, so that the account passwords of the application client and the application server are sent to the decryption device by utilizing the key file, and the decryption device can acquire the client passwords and the server passwords. Optionally, the KDC key distribution center is connected to the application client and the application server through the AP switch, respectively, so that the account names and account passwords of the respective registered accounts of the client and the server are sent to the application client and the application server by using the key file,
optionally, the key file includes an encoding mode of the Kerberos server, so that the decryption device decodes the data packet by the encoding mode to obtain information and then decrypts the information. Optionally, the Kerberos server uses asn.1 encoding, and the decryption device decodes the data packets by asn.1 decoding means. In detail, the decryption device obtains the encoding mode of the Kerberos server through the key file, decodes the data packet according to the encoding mode, and obtains the client password and the server password through the key file. And then the client-side password and the server-side password are utilized to decrypt the data packet encrypted by the Kerberos server.
Optionally, the plurality of application clients are provided, and when the plurality of application clients are set in the cluster mode, each application client can register different accounts and create account passwords respectively, so that a user connects accounts of the same application server through different accounts.
In detail, the client password is sent to the application client through the first key file, the server password is sent to the application server through the second key file, and the client password and the server password are sent to the decryption device through the third key file. Optionally, the first key file, the second key file and the key file are the same, the application client obtains the client password in the first key file through the account of the application client, the application server obtains the server password in the second key file through the account of the application server, and the decryption device obtains the client password and the server password in the third key file through the account of the application client and the application server. Optionally, the Kerberos server sends the client password and the server password to the application client, the application server and the decryption device as account keys respectively through hash values obtained by different hash algorithms, and the application client, the application server and the decryption device obtain account passwords corresponding to the corresponding hash values by using different hash algorithms respectively. Optionally, when the application client or the application server has multiple registered accounts, different key files are generated according to different registered accounts respectively. Among these, the key file is a file with ". Keytab" as a suffix, and is therefore generally called a keytab file.
In detail, the application client generates a communication key and transmits the communication key to the decryption device, so that the decryption device can decrypt the data packet through the communication key, the communication key being randomly generated by the application client. Wherein the communication key is an encryption for the communication content between the application client and the application server, so that the generation of the communication key by the application client is any stage before the generation of the second ticket by the Kerberos server using the communication key. Thus, alternatively, the communication key may be generated from an authentication key and/or a client password, or may be randomly generated or entered in advance by the application client.
In detail, the Kerberos server generates an authentication key and encrypts the authentication key through a client password to generate a first ticket, the Kerberos server sends the first ticket to the application client, the application client decrypts the first ticket through the client password to obtain the authentication key and sends the authentication key to the Kerberos server, and therefore the Kerberos server performs first identity authentication on the application client through the authentication key.
After the application client acquires the authentication key, the authentication key is sent to the Kerberos server through the cache information, so that the Kerberos server judges whether the application client acquires the authentication key according to the cache information, and further a result of whether the first identity authentication is successful or not is obtained.
Optionally, the KDC key distribution center includes an AS server, and the Kerberos server performs the first identity authentication on the application client through the AS server. In detail, the KDC key distribution center further includes a TGS server, and after the first identity authentication is successful, the AS server sends the first ticket to the application client, the TGS server verifies whether the application client is legal or not through the authentication key, and if the application client is legal, the TGS server indicates that the second identity authentication is successful and sends the first ticket to the application client.
In detail, the application client sends an identity authentication request to the AS server, and the AS server searches the client password according to the account of the application client, so AS to judge whether the identity of the application client is legal or not, and after the identity is legal, the AS server performs first identity authentication on the application client. The identity authentication request comprises a client password input by the application client, and optionally, the AS server determines that the identity of the application client is legal after finding the client password input by the user. The AS server randomly generates an authentication Key Session Key (Kc, tgs). The TGS server (bill authorization server) encrypts the authentication key through the client password to generate an authentication first bill, and the application client can decrypt the first bill through the client password to indicate that the first identity authentication is successful. Optionally, the TGS server generates two TGT ticket information, and returns the two TGT ticket information to the application client in a unified manner. And one piece of TGT bill information is a first bill, and the other piece of TGT bill information sequentially encrypts a communication key through a server side password and an authentication key to generate a second bill. The second bill is encrypted through the server side password, so that the application client side cannot decrypt the second bill. And when the application client decrypts the first bill through the client password so as to obtain the authentication key, returning the cache data to the Kerberos server, namely the Kerberos server successfully performs the first identity authentication. Optionally, the Kerberos server may decrypt the second ticket by the server-side password and the authentication key to obtain the communication key. Wherein the authentication key and/or the communication key is sent to the Kerberos server as credentials for the application client to access the application server.
Wherein optionally the Kerberos server encrypts the account of the application client by modifying the configuration file of the application client, such as by using an authentication key, such that the application client refuses the access request when it sends the access request directly to the application server. Therefore, the application client needs to acquire the authentication key for accessing the application server credential by performing identity authentication through the AS authentication server of the Kerberos server, and initiate a request for accessing the application server to the Kerberos server through the authentication key.
Optionally, the application client sends the authentication key to the TGS server, and the TGS server determines whether the application client is legal according to the authentication key, so that the TGS server sends the first ticket to the application client when the authentication key is legal. And when the first bill is correct, the TGS server judges that the application client is legal. Optionally, the TGS server may further determine whether the application client has access rights of the application server by determining whether the application client has the second ticket, so that the application client can be determined to be legal when the application client has the access rights.
In detail, the application client encrypts the communication key through the authentication key to generate an access request of the application server, and transmits the access request to the Kerberos server.
In detail, the Kerberos server performs the second identity authentication on the application client through the authentication key after receiving the access request. The second identity authentication comprises the following steps: the Kerberos server decrypts the access request through the authentication key to obtain the communication key, and when the authentication key is correct, the communication key can be obtained, so that the second identity authentication is judged to be successful. After the authentication is successful, the Kerberos server encrypts the communication key through the server password and the authentication key in sequence to generate a second bill, and sends the first bill and the second bill to the application client.
In detail, the application client receives the second ticket and then can not decrypt the second ticket, and sends the second ticket to the application server, the application server decrypts the second ticket through the server password to obtain the authentication key, and then decrypts the second ticket through the authentication key to obtain the communication key. Therefore, the data packets transmitted between the application client and the application server through the Kerberos server can be encrypted and decrypted through the communication key.
The main parameter information of the first bill is, for example: tc, tgs = { Kc, tgs; tgs principle; … } Kc; the main parameter information of the second bill is: ttgs, c= { Kc, tgs; client principle; … } Ktgs. Inside the first ticket and the second ticket bracket are the contents in the ticket, wherein TGS is the session key between the application client and the TGS server. The TGS principle in the first ticket is an identifier of a service entity of the TGS server and is used for telling the application client which TGS entity to interact with next, and the back Kc is an account password of the application client, which indicates that the ticket is encrypted by the client password and can only be decrypted by the application client. The client principal in the second ticket is a client service entity identifier, and is used for telling the TGS server that the TGS-Response should be sent to the application client for interaction, and the later Ktgs is an authentication key of the TGS server, which indicates that the ticket is encrypted by the authentication key and can only be unwound by the TGS server.
In detail, the decryption device captures the data packet transmitted between the application client and the application server through the Kerberos server, and the decryption device decrypts the data packet through the communication key after decoding the data packet. Optionally, the encrypted data packet is transmitted between the application client and the application server through the Kerberos server, and the AP switch is used to transmit the data packet image to the decryption device. The decryption device obtains the client password and the server password through the key file, and decrypts the data packet through the client password and the server password to obtain the communication key, so that the data packet is decrypted through the communication key. In detail, the decryption device decrypts the first bill through the client password to obtain the authentication key, and sequentially decrypts the second bill through the server password and the authentication key to obtain the communication key.
It will be appreciated that the data parsing method for use in a Kerberos encryption environment shown in fig. 1-2 is merely illustrative and that the data parsing method for use in a Kerberos encryption environment may also include more or fewer components or steps than shown in fig. 1-2 or have a different configuration than shown in fig. 1-2. The components shown in fig. 1-2 may be implemented in hardware, software, or a combination thereof.
In summary, the data parsing method provided in the embodiments of the present application is used in a Kerberos encryption environment:
according to the invention, the Kerberos server registers the account for the application client and the application server and respectively creates the account passwords, so that the Kerberos server authenticates the user identity of the application client and the application server by using the account passwords, and the communication security of the application client and the application server is improved; the Kerberos server generates a key file according to the registered account and sends the key file to the decryption device, so that the decryption device can identify whether the source of a data packet transmitted between the application client and the application server is safe or not by using the registered account, and the key file contains encryption information of the Kerberos server, so that the decryption device can decrypt the data packet through the encryption information; the application client generates a communication key of the application client and the application server, so that the safety of communication between the application client and the application server is enhanced; the Kerberos server encrypts an authentication key through an account password to generate a first bill, returns the authentication key to the application client through the first bill, and at the moment, the application client decrypts the first bill through the account password of the client to obtain the authentication key, the application client obtains the authentication key to indicate that the first identity authentication is successful, or else, the authentication key is unsuccessful; the application client encrypts the communication key by the authentication key to generate an access request, and sends the access request to the Kerberos server, so that the authentication key is used as an access credential for accessing the application server, the Kerberos server decrypts the access request by the authentication key to obtain the communication key, and the second identity authentication is successful when the authentication key is correct and the communication key is obtained; the Kerberos server sequentially encrypts the communication key through the authentication key and the server password to generate a second bill, so that the Kerberos server sends the second bill to the application server through the application client, the application server decrypts the second bill through the server password to obtain the authentication key, and decrypts the second bill again through the authentication key to obtain the communication key, and the application server encrypts and decrypts a data packet communicated with the application client through the communication key; the application client encrypts the data packet through the communication key, and the Kerberos server encrypts the data packet through the encryption information and then sends the encrypted data packet to the application server, so that ciphertext transmission is realized through the Kerberos server; the decryption device captures the data packet, decrypts the data packet through the client password and the server password in the key file to obtain the communication key, and decrypts the data packet by using the communication key, so that the decryption device obtains plaintext information by using the communication key in the authentication stage of the application client and the application server, supervision of user operation behavior is realized, and illegal application client or illegal information of the application client is prevented from being transmitted to the application server, thereby protecting the safety of the application server.
The encryption process of the method comprises three interactions, namely AS authentication server interaction, TGS bill authorization server interaction and AP switch interaction. After the three interactions are completed, session connection is established between the application client and the application server, and communication information of the two parties is encrypted through a communication key. The invention can not only efficiently acquire the communication key between the application client and the application server in the AP interaction stage, but also realize that a plurality of clients access the same server.
The foregoing description is only of the preferred embodiments of the present application and is not intended to limit the same, but rather, various modifications and variations can be made by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (10)
1. The data analysis method used in the Kerberos encryption environment is characterized by comprising a Kerberos server, an application client, an application server and a decryption device, and comprises the following specific steps:
the Kerberos server registers an account for the application client and creates a client password, and the application server registers an account for the application server and creates a server password;
the Kerberos server generates a key file according to the client password and the server password to send the key file to the decryption device;
the application client generates a communication key; the Kerberos server generates an authentication key, encrypts the authentication key through the client password to generate a first bill, the Kerberos server sends the first bill to the application client, the application client decrypts the first bill through the client password to obtain the authentication key and sends the authentication key to the Kerberos server, and therefore the Kerberos server performs first identity authentication on the application client through the authentication key;
the application client encrypts the communication key through the authentication key to generate an access request of the application server and sends the access request to the Kerberos server;
the Kerberos server decrypts the access request through the authentication key to obtain the communication key, so that the application client is subjected to second identity authentication through the communication key, and after authentication is successful, the Kerberos server encrypts the communication key through the authentication key and the server password in sequence to generate a second bill, and the Kerberos server sends the first bill and the second bill to the application client;
the application client sends the second bill to the application server, the application server decrypts the second bill through the server password to obtain an authentication key, and decrypts the second bill again through the authentication key to obtain the communication key;
the data packets transmitted between the application client and the application server through the Kerberos server are encrypted through the communication key, wherein the application client encrypts the data packets by using the client password, and the application server encrypts the data packets by using the server password;
the decryption device captures the data packet, decrypts the data packet through the client password and the server password to obtain the communication key, and decrypts the data packet by using the communication key.
2. A data parsing method for use in a Kerberos encryption environment as recited in claim 1,
the system also comprises an AP switch, wherein the application client side and the application server transmit data packets through the AP switch, and the decryption device captures the data packets through the AP switch.
3. The method for data resolution in a Kerberos encryption environment of claim 1, wherein the Kerberos server comprises a KDC key distribution center that registers accounts for the application client and the application server, respectively, and creates the client password and the server password.
4. The data parsing method for use in a Kerberos encryption environment of claim 3 wherein said KDC key distribution center includes an AS server through which said first authentication of said application client is performed.
5. A data parsing method for use in a Kerberos encryption environment as recited in claim 4,
the application client sends an identity authentication request to the AS server, and the AS server searches the client password according to the account of the application client.
6. A data parsing method for use in a Kerberos encryption environment as recited in claim 5,
after the AS server searches the client password, encrypting the authentication key through the client password to generate the first bill, and sending the first bill to the application client by the AS server; and the application client can decrypt the first bill through the client password to indicate that the first identity authentication is successful.
7. A data parsing method for use in a Kerberos encryption environment as recited in claim 6,
the KDC key distribution center also comprises a TGS server, when the AS server sends the first bill to the application client, the TGS server verifies whether the application client is legal or not through the authentication key, and if so, the second identity authentication is confirmed to be successful, and the first bill is sent to the application client.
8. A method of data parsing in a Kerberos encryption environment according to any one of claims 1-5, wherein the application server is a plurality of application servers.
9. The method for data analysis in Kerberos encryption environment according to any one of claims 1-5, wherein the decryption device obtains the encoding mode of the Kerberos server through the key file, decodes the data packet according to the encoding mode, and obtains the client password and the server password through the key file.
10. The method of claim 9, wherein the Kerberos server uses asn.1 encoding and the decryption device decodes the data packets using a decoding tool.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010712263.0A CN112035820B (en) | 2020-07-22 | 2020-07-22 | Data analysis method used in Kerberos encryption environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010712263.0A CN112035820B (en) | 2020-07-22 | 2020-07-22 | Data analysis method used in Kerberos encryption environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112035820A CN112035820A (en) | 2020-12-04 |
| CN112035820B true CN112035820B (en) | 2024-02-02 |
Family
ID=73582467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010712263.0A Active CN112035820B (en) | 2020-07-22 | 2020-07-22 | Data analysis method used in Kerberos encryption environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112035820B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113704724B (en) * | 2021-11-01 | 2022-01-11 | 天津南大通用数据技术股份有限公司 | Method for realizing database login authentication based on Kerberos mechanism |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105359486A (en) * | 2013-05-03 | 2016-02-24 | 思杰系统有限公司 | Secured access to resources using a proxy |
| CN111324881A (en) * | 2020-02-20 | 2020-06-23 | 铭数科技(青岛)有限公司 | Data security sharing system and method fusing Kerberos authentication server and block chain |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6993652B2 (en) * | 2001-10-05 | 2006-01-31 | General Instrument Corporation | Method and system for providing client privacy when requesting content from a public server |
| US8856512B2 (en) * | 2008-12-30 | 2014-10-07 | Intel Corporation | Method and system for enterprise network single-sign-on by a manageability engine |
| CN104158791A (en) * | 2013-05-14 | 2014-11-19 | 北大方正集团有限公司 | Safe communication authentication method and system in distributed environment |
-
2020
- 2020-07-22 CN CN202010712263.0A patent/CN112035820B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105359486A (en) * | 2013-05-03 | 2016-02-24 | 思杰系统有限公司 | Secured access to resources using a proxy |
| CN111324881A (en) * | 2020-02-20 | 2020-06-23 | 铭数科技(青岛)有限公司 | Data security sharing system and method fusing Kerberos authentication server and block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112035820A (en) | 2020-12-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12155757B2 (en) | Systems and methods for deployment, management and use of dynamic cipher key systems | |
| CN109728909B (en) | Identity authentication method and system based on USBKey | |
| KR101265873B1 (en) | Distributed Single Signing Service Method | |
| US6993652B2 (en) | Method and system for providing client privacy when requesting content from a public server | |
| US7395549B1 (en) | Method and apparatus for providing a key distribution center without storing long-term server secrets | |
| EP2984782B1 (en) | Method and system for accessing device by a user | |
| US5418854A (en) | Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system | |
| US20120054491A1 (en) | Re-authentication in client-server communications | |
| US20030115452A1 (en) | One time password entry to access multiple network sites | |
| CN103906052B (en) | A kind of mobile terminal authentication method, Operational Visit method and apparatus | |
| MXPA04007547A (en) | System and method for providing key management protocol with client verification of authorization. | |
| CN108809633B (en) | Identity authentication method, device and system | |
| KR20170047717A (en) | Server and method for managing smart home environment thereby, method for joining smart home environment and method for connecting communication session with smart device | |
| JP2001177513A (en) | Authentication method in communication system, center device, recording medium storing authentication program | |
| CN111080299B (en) | Anti-repudiation method for transaction information, client and server | |
| CN113918971A (en) | Block chain based message transmission method, device, equipment and readable storage medium | |
| CN114363077B (en) | Management system based on safety access service edge | |
| KR101204980B1 (en) | Method and System of One-Time Password Authentication Scheme Provide Enhanced Randomness | |
| US20050210247A1 (en) | Method of virtual challenge response authentication | |
| CN112035820B (en) | Data analysis method used in Kerberos encryption environment | |
| JP3914193B2 (en) | Method for performing encrypted communication with authentication, authentication system and method | |
| JPH11187008A (en) | Delivering method for cryptographic key | |
| CN114531235B (en) | Communication method and system for end-to-end encryption | |
| WO2024149934A1 (en) | Methods and arrangements for making a user device utilize a secret | |
| Adamović | Development of a Cryptographic Solution Based on Kerberos for Database Security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |