基于Kerberos的互联网安全传输软件的设计与实现

发布时间：2018-06-14 18:45

本文选题：网络安全 + 密码学　；参考：《吉林大学》2014年硕士论文

【摘要】：网络通信技术与Internet的联系日益增强，也带来了一系列的信息安全问题。如何保证合法用户对资源的合法访问和安全地传输数据，成为网络安全的主要内容。本文首先介绍了密码学的一些基本理论，尤其是对称密码和公钥密码作了详细地介绍，分析了对称加密和公钥加密算法的适用场合和密钥的分配方式，对对称加密和公钥加密各自的优缺点进行了对比。此外，还介绍了消息认证、散列函数、数字签名和认证协议等密码学中的相关技术。然后详细研究了Kerberos协议的认证思想，对其工作原理、系统组织结构以及认证的基本过程做了详细地介绍，指出了Kerberos协议在认证过程中存在的不足。并以Kerberos V4为例，分析了其域内认证过程，指出它应用环境的局限性、口令攻击的脆弱性、密钥管理的困难性等缺陷。针对Kerberos协议的特点和不足，以密码学作为基础理论，本文对kerberos协议的认证过程进行了改进，提出了基于公钥密码体制的kerberos认证过程，并对改进后的kerberos协议的系统结构、工作原理和认证过程做了详细的描述。重点阐述了服务认证、服务授权和应用服务的消息交换过程以及消息内容的基本组成元素，并分析了改进后协议的安全性能及与原协议的异同点。最后本文针对上述理论研究成果，设计并实现了基于kerberos的互联网安全传输软件，该软件系统的基本功能是为客户端与应用服务器提供聊天功能。为了保证通信双方的聊天内容不被第三方非法盗取，本系统的身份认证采用本文第四章的研究内容作为理论依据，并且增加了选择会话期加密算法的功能。会话密钥采用RSA算法加密，明文用可选择的非对称加密算法加密，用SHA算法产生消息摘要来实现消息认证。这样系统即解决了密钥分配和管理的难题，也保证了通信双方所交换数据的完整性。该系统能够为用户提供身份认证服务，生成用户请求服务器各种服务的票据，根据用户选择的加密算法生成会话密钥并安全地分发会话密钥，通过实际使用证明了改进的kerberos认证协议能够对原协议进行很好的完善。但本系统还存在不足，例如身份认证仍然是利用时间戳来防止“重放攻击”，但是要保证系统内的时钟同步是非常难的。尽管改进的协议还不完美，，但也能基本满足信息安全中对传送消息的可靠性、完整性、真实性和保密性的要求，能够有效的防止攻击者对信息的非法窃听、获取、修改和重放攻击。
[Abstract]:The connection between network communication technology and Internet is increasing, and it also brings a series of information security problems. How to ensure legitimate users to access the resources legally and transmit data safely is the main content of network security.
In this paper, some basic theories of cryptography are introduced, especially symmetric and public key cryptography are introduced in detail. The application of symmetric encryption and public key encryption algorithm and the distribution mode of key are analyzed. The advantages and disadvantages of symmetric encryption and public key encryption are compared. In addition, the message authentication and hash function are also introduced. Cryptography related technologies such as number, digital signature and authentication protocol.
Then the authentication idea of Kerberos protocol is studied in detail, the principle of its work, the organization structure of the system and the basic process of authentication are introduced in detail, and the shortcomings of the Kerberos protocol in the authentication process are pointed out. The authentication process in the domain is analyzed with Kerberos V4 as an example, and the limitation of its application environment and the password attack are pointed out. Vulnerability, the difficulty of key management and so on. Aiming at the characteristics and shortcomings of the Kerberos protocol, using cryptography as the basic theory, this paper improves the authentication process of the Kerberos protocol, puts forward the Kerberos authentication process based on public key cryptosystem, and the system structure, working principle and authentication of the improved Kerberos protocol. The process is described in detail. It focuses on the information exchange process of service authentication, service authorization and application service and the basic components of the message content, and analyzes the security performance of the improved protocol and the similarities and differences with the original protocol.
Finally, aiming at the above theoretical research results, this paper designs and implements a Kerberos based Internet security transmission software. The basic function of the software system is to provide the chat function for the client and the application server. In order to ensure that the chat contents of the two parties are not stolen by third parties illegally, the identity authentication of this system uses this article fourth. The research content of the chapter is the theoretical basis, and the function of selecting the session period encryption algorithm is added. The session key is encrypted by the RSA algorithm, the plaintext is encrypted with an optional asymmetric encryption algorithm, and the message digest is generated by the SHA algorithm. So the system solves the problem of key distribution and management, and also guarantees the communication. The integrity of the data exchanged between the two parties.
The system can provide authentication services for users, generate a user's request for various services on the server, generate session key according to the encryption algorithm selected by the user and distribute the session key safely. It is proved that the improved Kerberos authentication protocol can improve the original protocol well. However, the system still exists. For example, identity authentication still uses time stamps to prevent replay attacks, but it is very difficult to ensure that the clock synchronization in the system is very difficult. Although the improved protocol is not perfect, it can also basically meet the reliability, integrity, authenticity and confidentiality of message security in information security, and can effectively prevent attacks. Illegal eavesdropping, acquisition, modification and replay of information.
【学位授予单位】：吉林大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08;TN918.1

【参考文献】