Introduction to Kerberos Information can use the ticket-granting ticket obtained through this verification to access multiple services, that is, SSO (Single Sign On). Since a shared key is established between each Client and Service, the protocol is quite secure.
Conditions
Let’s first look at the prerequisites of the Kerberos protocol: Client and KDC, KDC and Service already have their own shared keys before the protocol works, and Since the messages in the protocol cannot penetrate the firewall, these conditions restrict the Kerberos protocol from being used within an organization, making its application scenarios different from X.509 PKI.
(This process avoids the unsafe method of the client sending the password directly to the KDC in order to pass the verification)
kinit - Obtain and cache Kerberos ticket-granting ticket
kinit is used to obtain and cache Kerberos ticket-granting tickets. This tool is similar in functionality to the kinit tool that are commonly found in other Kerberos implementations, such as SEAM and MIT Reference implementations.
The user must be registered as a principal with the Key Distribution Center (KDC) prior to running kinit.
SYNOPSIS
Summary
In summary, the Kerberos protocol mainly does two things
1. Secure delivery of tickets.
2. Secure release of Session Key. Coupled with the use of timestamps, the security of user authentication is guaranteed to a large extent. And using the Session Key, the messages passed between the Client and the Service after passing the authentication can also be guaranteed by Confidentiality (confidentiality) and Integrity (integrity). However, since an asymmetric key is not used, it cannot be non-repudiation, which also limits its application. However, relatively speaking, it is much simpler to implement than the X.509 PKI identity authentication method.Specific process
(Note: This process uses symmetric encryption; this process occurs in a certain Kerberos realm; lowercase letters c, d, e is the message sent by the client, and the capital letters A, B, E, F, G, H are the messages sent back by each server)
First, the user uses the program on the client (the user's own machine). Login:
- The user enters their user ID and password into the client.
- The client program runs a one-way function (mostly hash) to convert the password into a key. This is the "user key" (K_client) of the client (user). The trusted AS also obtains the same key as this key through some secure means.
Subsequently, client authenticates (client gets ticket for ticket (TGT) from AS):
- Client sends 1 message to AS (Note : The user does not send the key (K_client) to the AS, nor the password):
- A clear text message containing the user ID, such as "User Sunny wants to request a service" (Sunny is the user ID)
- Message A: "Client-TGS session key" encrypted by user key (K_client) (K_TGS-session) (The session key is used for future communication (session) between the client and TGS)
- Message B: "Ticket Authorization Ticket" (TGT) encrypted by TGS key (K_TGS) ( TGT includes: client-TGS session key (K_TGS-session), user ID, user URL, TGT validity period)
Then, the service authorizes (the client gets the ticket (T) from the TGS):
- The client sends the following 2 messages to the TGS:
- Message c: Message B (K_TGS encrypted TGT), and the service ID of the service you want to obtain (note: not the user ID)
- Message d: Client-TGS session secret The "authentication character" encrypted by the key (K_TGS-session) (the authentication character includes: user ID, timestamp)
- Message E: "Client-Server Ticket" encrypted by the server key (K_SS) ( T) (T includes: client-SS session key (K_SS-session), user ID, user URL, T validity period)
- Message F: Client-TGS session key (K_TGS-session) encryption After the "client-SS session key" (K_SS_session)
Finally, service request (client gets service from SS):
- Client sends 2 messages to SS:
- Message e: Message E
- Message g: "New authenticator" encrypted by client-server session key (K_SS_session) (new authenticator includes: user ID, timestamp)
- Message H: client-server session The "new timestamp" encrypted by the key (K_SS_session) (the new timestamp is: the timestamp sent by the client plus 1)
Defects
- Fails at a single point: it requires continuous response from the central server. When the Kerberos service ends, no one can connect to the server. This shortcoming can be compensated by using a composite Kerberos server and a defective authentication mechanism.
- Kerberos requires that the clocks of the hosts participating in the communication are synchronized. Tickets have a validity period, so if the host's clock is out of sync with the Kerberos server's clock, authentication will fail. The default setting requires that the clock times differ by no more than 10 minutes. In practice, a Network Time Protocol daemon is often used to keep host clocks synchronized.
- Management protocols are not standardized and there are some differences in server implementation tools. RFC 3244 describes password changes.
- Because the keys used by all users are stored in the central server, compromising the security of the server will compromise the keys of all users.
- A dangerous client will compromise user passwords.
Reference:
http://idior.cnblogs.com/archive/2006/03/20/354027.html
http://bey2nd.blog.163.com/ blog/static/12063183120141275250466/
http://docs.oracle.com/javase/1.5.0/docs/tooldocs/windows/kinit.html

Effective methods to prevent session fixed attacks include: 1. Regenerate the session ID after the user logs in; 2. Use a secure session ID generation algorithm; 3. Implement the session timeout mechanism; 4. Encrypt session data using HTTPS. These measures can ensure that the application is indestructible when facing session fixed attacks.

Implementing session-free authentication can be achieved by using JSONWebTokens (JWT), a token-based authentication system where all necessary information is stored in the token without server-side session storage. 1) Use JWT to generate and verify tokens, 2) Ensure that HTTPS is used to prevent tokens from being intercepted, 3) Securely store tokens on the client side, 4) Verify tokens on the server side to prevent tampering, 5) Implement token revocation mechanisms, such as using short-term access tokens and long-term refresh tokens.

The security risks of PHP sessions mainly include session hijacking, session fixation, session prediction and session poisoning. 1. Session hijacking can be prevented by using HTTPS and protecting cookies. 2. Session fixation can be avoided by regenerating the session ID before the user logs in. 3. Session prediction needs to ensure the randomness and unpredictability of session IDs. 4. Session poisoning can be prevented by verifying and filtering session data.

To destroy a PHP session, you need to start the session first, then clear the data and destroy the session file. 1. Use session_start() to start the session. 2. Use session_unset() to clear the session data. 3. Finally, use session_destroy() to destroy the session file to ensure data security and resource release.

How to change the default session saving path of PHP? It can be achieved through the following steps: use session_save_path('/var/www/sessions');session_start(); in PHP scripts to set the session saving path. Set session.save_path="/var/www/sessions" in the php.ini file to change the session saving path globally. Use Memcached or Redis to store session data, such as ini_set('session.save_handler','memcached'); ini_set(

TomodifydatainaPHPsession,startthesessionwithsession_start(),thenuse$_SESSIONtoset,modify,orremovevariables.1)Startthesession.2)Setormodifysessionvariablesusing$_SESSION.3)Removevariableswithunset().4)Clearallvariableswithsession_unset().5)Destroythe

Arrays can be stored in PHP sessions. 1. Start the session and use session_start(). 2. Create an array and store it in $_SESSION. 3. Retrieve the array through $_SESSION. 4. Optimize session data to improve performance.

PHP session garbage collection is triggered through a probability mechanism to clean up expired session data. 1) Set the trigger probability and session life cycle in the configuration file; 2) You can use cron tasks to optimize high-load applications; 3) You need to balance the garbage collection frequency and performance to avoid data loss.


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool

ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment

DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software

Atom editor mac version download
The most popular open source editor

Notepad++7.3.1
Easy-to-use and free code editor
