基于Kerberos协议的单点登录研究与设计

摘要

通过对传统的基于Kerberos协议的单点登录研究,分析了其存在的问题,提出了自己的解决方案.该方案采用密钥分发中心与资源服务器的会话密钥采替代它们之间的永久密钥以提高系统的安全性,采用基于时间戳和MAC地址的双重验证来解决重放攻击问题,采用Flag标记实现客户方与资源服务器的双向验证.在此基础上设计出了改进的单点登录系统,开发了软件系统原型,并通过实验验证了所提方案的有效性,为单点登录提供了可行的解决途径.%Traditional Kerberos-based single sign-on is studied, the existing problems is analyzed, and the solutions are presented. Key distribution center uses session key instead of the long-term key with the resource servers to improve the system security, both timestamp and MAC address authentication are used to solve the replay attacks, adopts Flag tag to achieve the two-way authentication between client and resource services. On this basis, the improved single sign-on system is designed, the software prototype model is developed and the proposed scheme is verified by the experiment and a feasible solution for single sign-on is provided.