CN112929374A - Cloud computing-based multi-factor bidirectional dynamic authentication encryption system - Google Patents

Abstract

The invention discloses a cloud computing-based multi-factor bidirectional dynamic authentication encryption system, which comprises an encryption system main body; the encryption system comprises a client module, a server module, an AS authentication service module, a KDC bill management service module and a relational database storage module; the relational database storage module is respectively connected with the AS authentication service module and the KDC bill management service module; the AS authentication service module, the KDC bill management service module, the client module and the server module are connected with each other; the invention uses temporary bill to encrypt and decrypt data, the real key is not transmitted on the network, even if the bill is stolen on the network, the bill can not be decrypted in short time due to the use of asymmetric encryption algorithm and the characteristics of the bill such as specific timeliness and the like, even if the data encrypted by the current bill is decrypted, the bill is invalid; the invention simplifies the use method of the authentication encryption system and improves the safety.

Description

Cloud computing-based multi-factor bidirectional dynamic authentication encryption system

Technical Field

The invention relates to the field of cloud computing data communication security, in particular to a cloud computing-based multi-factor bidirectional dynamic authentication encryption system.

Background

With the continuous development of information technology, cloud computing becomes a new computing mode following distributed computing, parallel computing, grid computing and the like, can provide services such as resource renting, service outsourcing, application hosting and the like for users, quickly becomes a hotspot of information technology development due to the advantages of simplicity, convenience, economy, easy expandability and the like, but brings convenience to users and simultaneously brings great challenges to the safety and maintenance of user information safety assets.

In the cloud computing virtual environment, a plurality of virtual machines exist in a physical server, each virtual machine bears different service systems, and different service scenes are dynamic complex service scenes, so that the requirement on safe transmission of data services during centralized operation and maintenance is very high.

Disclosure of Invention

The technical problem to be solved by the invention is to provide a cloud computing-based multi-factor bidirectional dynamic authentication encryption system, fingerprint information of a client and a server is collected and reported to a cloud system after the client and the server are installed, the client is ensured to comprise a PC (personal computer) end android mobile phone end IOS (internet of things) mobile phone end, a windows server end and a Linux server end are unique in a global system, and a program can log in and register in a cloud server message system after being started. And the long link exists in a WebScoket mode, and the client and the server are verified through the AS authentication service module. Then, a KDC distributes a self and temporary bill to a client and a server respectively, the bill has timeliness, when the bill is due, the cloud server notifies the client and the server to update a new bill, when the client manages and operates the server, the distributed bill is used for carrying out data asymmetric encryption, and after the server receives the data, the server decrypts the data by using the distributed temporary bill, so as to realize timely arrangement and adjustment according to the business dynamic, thereby realizing that the cloud computing adapts and adjusts the dynamic configuration under the dynamic complex business environment to meet the business reliability stability, solving the problem of data communication encryption under a virtual machine under the centralized management cloud computing environment, improving the safety of the management system and the communication system, solving the insecurity caused by a simple encryption method, mainly using multi-factor bidirectional authentication, dynamic key bill updating and effective use timeliness of each bill, and the difficulty of cracking is improved by using an asymmetric encryption algorithm.

The cloud computing-based multi-factor bidirectional dynamic authentication encryption system is realized by the following technical scheme: comprises an encryption system main body; the encryption system comprises a client module, a server module, an AS authentication service module, a KDC bill management service module and a relational database storage module;

the relational database storage module is respectively connected with the AS authentication service module and the KDC bill management service module; the AS authentication service module, the KDC bill management service module, the client module and the server module are connected with each other;

the client module is used for authenticating login to the AS authentication service module, ensuring that a user is unique in the system by reporting fingerprint information of the user, distributing bills by the KDC bill management service module, and subsequently encrypting and decrypting data communication between the bills distributed by the KDC bill management service module and the server side;

the server side module is used for authenticating login to the AS authentication service module, reporting fingerprint information of the server to ensure that a user is unique in the system, distributing bills by the KDC bill management service module, and subsequently encrypting and decrypting data communication between the bills distributed by the KDC bill management service module and the client side;

the AS authentication service module is used for authenticating the login of the client and the server and confirming the identity;

the KDC bill management service module is used for distributing bills to the client and the server, managing the life cycle of the bills and informing the client and the server to update the bills;

and the relational database storage module is used for storing the bill data and the identity information of the client and the server.

As a preferred technical scheme, the client module comprises a PC end, an Android end and an IOS end; the server side module comprises a Windows side and a Linux side.

As a preferred technical scheme, the encryption system main body adopts a distributed micro-servitization module to deploy application.

As a preferred technical scheme, the correctness of the authentication ticket set in the KDC ticket management service module is based on network clock synchronization.

As a preferred technical scheme, a kerberos timestamp in the distributed microservices module is replaced by a synchronization variable N; kerberos employs public key technology; a fixed Master Key is used to simplify the service Key.

The cloud computing-based multi-factor bidirectional dynamic authentication encryption method is realized by the following technical scheme:

the method comprises the following steps: the client login is authenticated through AS login, namely a user mailbox + TGS name + user password md5 encrypts (timestamp) -KRB _ AS _ REQ;

step two: after receiving the request, the AS finds the Master Key of the client through the mailbox provided by the user and finds the TGS Master Key through the TGS name;

step three: the AS generates a random encryption key Kc-Tgs (client and TGS communication authentication dynamic key);

step four: encrypting Kc-Tgs by using a Client Master Key and encrypting Kc-Tgs by using a TGS Master Key respectively;

step five: the first share is Tgs _ principal and timestamp + Kc-Tgs encrypted using Client Master Key (Tc, Tgs);

step six: secondly, encrypting the client _ private and the timestamp + Kc-Tgs by using TGS Master Key (Ttgs, c) - -KRB _ AS _ REP;

step seven: after receiving the data, the client decrypts Tc by using the Master Key of the client, and Tgs obtains Kc-Tgs + Tgs _ principal + timestamp;

step eight: the client side verifies whether the request is sent by the tgs server;

step nine: obtaining a Kc-Tgs random key after verification;

step ten: the decrypted ticket is stored (the ticket is used to apply for accessing service to the TGS within the subsequent validity period);

step eleven: the client generates an authentication factor Authenticator (timestamp + client _ private + c _ check _ sum signature);

step twelve: encrypting the Authenticator using the random key Kc-Tgs;

step thirteen: sending the encrypted Authenticator + Ttgs, c + Server _ primary + timestamp to TGS-KRB _ TGS _ REQ;

fourteen steps: the TGS decrypts the Ttgs, c to obtain Kc, TGS by using the Master Key of the TGS after receiving the request, and decrypts the Authenticator by using the Kc, TGS;

step fifteen: the information sent by the client is authenticated, and the guarantee request is sent by the client;

sixthly, the steps are as follows: then TGS generates a session key Kc, s of the client and the server;

seventeen steps: copying the session key by two parts;

eighteen steps: the first encrypts Tc, s by using the session key Kc, s, the server _ private and the timestamp between Kc and tgs; the second part encrypts the Kc, s session key, the client _ private and the timestamp by using a server Master key;

nineteen steps: TGS responds the two bills to client-KRB _ TGS _ REP;

twenty steps: after the client receives the two bills, the client uses Kc, tgs to solve Tc, s to obtain Kc, s

Twenty one: then generating an authentication factor Authenticator (timeStamp + Ts, c _ checkSum);

step twenty-two: encrypting the Authenticator using the obtained Kc, s;

twenty-three steps: finally, the Authenticator and the obtained second Ts, c are sent to the Server-KRB _ AP _ REQ;

twenty-four steps: the server decrypts Ts, c to obtain Kc, s by using the Master Key of the server after receiving the request;

twenty-five steps: then, decrypting the content acquired by the Authenticator by using Kc, s;

twenty-six steps: the data content is read after the client is authenticated;

twenty-seven steps: the data acquired after the authentication is finished is responded to the client-KRB _ AP _ REP by using the Kc, s + timestamp;

twenty-eight steps: after receiving the message, the client can normally communicate with the server.

The invention has the beneficial effects that: the fingerprint information collection of the client and the server is reported to a cloud system after the client and the server are installed, the client is guaranteed to comprise a PC (personal computer) android mobile phone IOS (internet of things) mobile phone end, and a windows server and a Linux server are unique in a global system, and a program can log in and register in a cloud server message system after being started. And the long link exists in a WebScoket mode, and the client and the server are verified through the AS authentication service module. Then, a KDC distributes a self and temporary bill to a client and a server respectively, the bill has timeliness, when the bill is due, the cloud server notifies the client and the server to update a new bill, when the client manages and operates the server, the distributed bill is used for carrying out data asymmetric encryption, and after the server receives the data, the server decrypts the data by using the distributed temporary bill, so as to realize timely arrangement and adjustment according to the business dynamic, thereby realizing that the cloud computing adapts and adjusts the dynamic configuration under the dynamic complex business environment to meet the business reliability stability, solving the problem of data communication encryption under a virtual machine under the centralized management cloud computing environment, improving the safety of the management system and the communication system, solving the insecurity caused by a simple encryption method, mainly using multi-factor bidirectional authentication, dynamic key bill updating and effective use timeliness of each bill, and the difficulty of cracking is improved by using an asymmetric encryption algorithm; the use method and the improved safety are simplified, the data safety is increased for cloud computing management, the user reliability is improved, and the cloud computing development is promoted better.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic structural diagram of a cloud computing-based multi-factor bidirectional dynamic authentication encryption system according to an embodiment of the present invention;

FIG. 2 is a flow chart illustrating steps of a general encryption system according to an embodiment of the present invention;

FIG. 3 is a flow chart of a general encryption system according to an embodiment of the present invention;

FIG. 4 is a flowchart of an authentication service of the disassembled steps provided by the present invention;

FIG. 5 is a timing diagram of a ticket distribution service according to the second embodiment of the present invention;

FIG. 6 is a timing diagram of key exchange in step three after the key exchange is disassembled according to the embodiment of the present invention.

Detailed Description

All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.

Any feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving equivalent or similar purposes, unless expressly stated otherwise. That is, unless expressly stated otherwise, each feature is only an example of a generic series of equivalent or similar features.

In the description of the present invention, it is to be understood that the terms "one end", "the other end", "outside", "upper", "inside", "horizontal", "coaxial", "central", "end", "length", "outer end", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the device or element being referred to must have a particular orientation, be constructed in a particular orientation, and be operated, and thus, should not be construed as limiting the present invention.

Further, in the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.

The use of terms such as "upper," "above," "lower," "below," and the like in describing relative spatial positions herein is for the purpose of facilitating description to describe one element or feature's relationship to another element or feature as illustrated in the figures. The spatially relative positional terms may be intended to encompass different orientations of the device in use or operation in addition to the orientation depicted in the figures. For example, if the device in the figures is turned over, elements described as "below" or "beneath" other elements or features would then be oriented "above" the other elements or features. Thus, the exemplary term "below" can encompass both an orientation of above and below. The device may be otherwise oriented (rotated 90 degrees or at other orientations) and the spatially relative descriptors used herein interpreted accordingly.

In the present invention, unless otherwise explicitly specified or limited, the terms "disposed," "sleeved," "connected," "penetrating," "plugged," and the like are to be construed broadly, e.g., as a fixed connection, a detachable connection, or an integral part; can be mechanically or electrically connected; they may be directly connected or indirectly connected through intervening media, or they may be connected internally or in any other suitable relationship, unless expressly stated otherwise. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.

As shown in fig. 1, the cloud computing-based multi-factor bidirectional dynamic authentication encryption system of the present invention includes an encryption system main body; the encryption system comprises a client module 1, a server module 2, an AS authentication service module 3, a KDC bill management service module 4 and a relational database storage module 5;

the relational database storage module 5 is respectively connected with the AS authentication service module 3 and the KDC bill management service module 4; the AS authentication service module 3, the KDC bill management service module 4, the client module 1 and the server module 2 are connected with each other;

the client module 1 is used for authenticating login to the AS authentication service module 3, ensuring that a user is unique in the system by reporting fingerprint information of the user, distributing bills by the KDC bill management service module 4, and subsequently performing data communication encryption and decryption with the server by using the bills distributed by the KDC bill management service module 4;

the server module 2 is used for authenticating login to the AS authentication service module 3, reporting fingerprint information of a server to ensure that a user is unique in the system, distributing bills by the KDC bill management service module 4, and subsequently performing data communication encryption and decryption with the client by using the bills distributed by the KDC bill management service module 4;

the AS authentication service module 3 is used for authenticating the login of the client and the server and confirming the identity;

the KDC bill management service module 4 is used for distributing bills to the client and the server, managing the life cycle of the bills and informing the client and the server to update the bills;

and the relational database storage module 5 is used for storing the bill data and the identity information of the client and the server.

In this embodiment, the client module 1 includes a PC end, an Android end, and an IOS end; the server module 2 comprises a Windows end and a Linux end.

In this embodiment, the encryption system main body adopts a distributed microservices module to deploy and apply.

In the embodiment, the kerberos timestamp in the distributed microservices module is replaced by a synchronization variable N; kerberos employs public key technology; a fixed Master Key is used to simplify the service Key.

In this embodiment, the correctness of the authentication ticket set in the KDC ticket management service module 4 is based on network clock synchronization.

As shown in fig. 2 to 6, the cloud computing-based multi-factor bidirectional dynamic authentication encryption method of the present invention includes the following steps:

the method comprises the following steps: the client login is authenticated through AS login, namely a user mailbox + TGS name + user password md5 encrypts (timestamp) -KRB _ AS _ REQ;

step two: after receiving the request, the AS finds the Master Key of the client through the mailbox provided by the user and finds the TGS Master Key through the TGS name;

step three: the AS generates a random encryption key Kc-Tgs (client and TGS communication authentication dynamic key);

step four: encrypting Kc-Tgs by using a Client Master Key and encrypting Kc-Tgs by using a TGS Master Key respectively;

step five: the first share is Tgs _ principal and timestamp + Kc-Tgs encrypted using Client Master Key (Tc, Tgs);

step six: secondly, encrypting the client _ private and the timestamp + Kc-Tgs by using TGS Master Key (Ttgs, c) - -KRB _ AS _ REP;

step seven: after receiving the data, the client decrypts Tc by using the Master Key of the client, and Tgs obtains Kc-Tgs + Tgs _ principal + timestamp;

step eight: the client side verifies whether the request is sent by the tgs server;

step nine: obtaining a Kc-Tgs random key after verification;

step ten: the decrypted ticket is stored (the ticket is used to apply for accessing service to the TGS within the subsequent validity period);

step eleven: the client generates an authentication factor Authenticator (timestamp + client _ private + c _ check _ sum signature);

step twelve: encrypting the Authenticator using the random key Kc-Tgs;

step thirteen: sending the encrypted Authenticator + Ttgs, c + Server _ primary + timestamp to TGS-KRB _ TGS _ REQ;

fourteen steps: the TGS decrypts the Ttgs, c to obtain Kc, TGS by using the Master Key of the TGS after receiving the request, and decrypts the Authenticator by using the Kc, TGS;

step fifteen: the information sent by the client is authenticated, and the guarantee request is sent by the client;

sixthly, the steps are as follows: then TGS generates a session key Kc, s of the client and the server;

seventeen steps: copying the session key by two parts;

eighteen steps: the first encrypts Tc, s by using the session key Kc, s, the server _ private and the timestamp between Kc and tgs; the second part encrypts the Kc, s session key, the client _ private and the timestamp by using a server Master key;

nineteen steps: TGS responds the two bills to client-KRB _ TGS _ REP;

twenty steps: after the client receives the two bills, the client uses Kc, tgs to solve Tc, s to obtain Kc, s

Twenty one: then generating an authentication factor Authenticator (timeStamp + Ts, c _ checkSum);

step twenty-two: encrypting the Authenticator using the obtained Kc, s;

twenty-three steps: finally, the Authenticator and the obtained second Ts, c are sent to the Server-KRB _ AP _ REQ;

twenty-four steps: the server decrypts Ts, c to obtain Kc, s by using the Master Key of the server after receiving the request;

twenty-five steps: then, decrypting the content acquired by the Authenticator by using Kc, s;

twenty-six steps: the data content is read after the client is authenticated;

twenty-seven steps: the data acquired after the authentication is finished is responded to the client-KRB _ AP _ REP by using the Kc, s + timestamp;

twenty-eight steps: after receiving the message, the client can normally communicate with the server.

In this embodiment, the flow of steps optimizes the following points:

1. issuing bills to realize authority centralized management;

2. a public Key mechanism is adopted, the user identity is contained in the certificate, and the Master Key is prevented from being lost;

3. thirdly, utilizing the signature to ensure that the authenticity and integrity of the message source cannot be repudiated;

4. the public key of the receiver is encrypted, so that only the receiver can unlock the data, and meanwhile, the integrity and confidentiality of the data are ensured;

5. using a synchronization variable N to prevent replay data attacks;

6. the method adopts the bill life parameter, does not need to request the Agent every time of logging, and can repeatedly use the bill in the life.

In this embodiment, the protocol flow optimizes the following points:

1. the bill request (Ticket _ req) C- > Agent C, S, N, CERTc;

2. ticket issuing (Ticket _ rep) Agent- > C: Ts, ((Kcs, N) SIGNA) ENCPubc

Ts＝((C,S,Kcs,N,lifetime)SIGNA)ENCpubs；

3. Service request (S _ req) C- > S: Ts, (N, ra, seq, option) Kcs;

4. server identity authentication (S _ rep) S- > C (ra) Kcs (optional-whether two-way verification is decided by option);

in this embodiment, the message transmission communication protocol Websocket Connect Header is defined as shown in the following table:

the invention is explained in further detail:

the method comprises the following steps: the Client uses md5 (past) Master Key (timestamp) + Client _ primary + tgs _ primary to send to AS authentication server (KRB _ AS _ REQ);

step two: the AS authentication server receives the KRB _ AS _ REQ, finds the Client Master Key through db, decrypts the data to obtain a timestamp to prove that the password provided by the Client is correct;

step three: the AS generates a session password (kc, tgs);

the method comprises the following steps: the AS respectively acquires Client Master Key and TGS Master Key from DB to encrypt kc, TGS;

step four: the first one encrypts kc, tgs and tgs _ principal and timestamp using Client Master Key (md5 (passswd));

step five: the second share encrypts kc, TGS and client _ principal and timestamp using TGS Master Key (kdc);

step six: responding to the client (KRB _ AS _ REP);

step seven: the client decrypts Tc by using the Master Key of the client, tgs to obtain Kc, tgs;

step eight: the client encrypts by using time _ stamp and checksum and using Kc, tgs to obtain an Authenticator;

step nine: the client sends a request (KRB _ TGS _ REQ) Authenticator + Ttgs, c obtained from AS and the name of the server to be accessed (Authenticator and Ttgs, c are used to prove its identity);

step ten: after receiving the request, the TGS decrypts the Ttgs, c by using the Master Key of the TGS to obtain Kc, TGS;

step eleven: the Authenticator decrypts the authentication to the client by using Kc, tgs;

step twelve: TGS generates a session key Kc, s and copies two times at the same time;

step thirteen: the first to the client is encrypted using Kc, tgs;

fourteen steps: secondly, encrypting the client by using a Server Master Key;

step fifteen: responding to the client (KRB _ TGS _ REP);

sixthly, the steps are as follows: after receiving the bill, the client uses Kc, tgs to solve Tc, s to obtain Kc, s;

seventeen steps: generating an Authenticator;

eighteen steps: then, encrypting by using Kc, s to generate the Authenticator;

nineteen steps: the client sends the generated Authenticator and Ts, c obtained from TGS to Server (KRB _ AP _ REQ);

twenty steps: after receiving the request, the server decrypts Ts, c to obtain Kc, s and then decrypts the Authenticator by using Kc, s to authenticate the client;

twenty one: the server can also return the encrypted current timestamp using Kc, s to the client;

step twenty-two: client verifies the data that the server sends- -two-way verification;

twenty-three steps: finally the server responds to the client (KRB _ AP _ REP).

The invention uses temporary bill to encrypt and decrypt data; the real key is not transmitted on the network, even if the bill is stolen on the network by people, the bill has the characteristics of time effectiveness and the like due to the use of an asymmetric encryption algorithm. Cracking cannot be performed in a short time. Even if the encrypted data of the current ticket is cracked, the ticket is already invalid. It can not be used for a long time. The method mainly solves the problem of data transmission leakage caused by symmetric encryption key loopholes and the problem of data loss caused by private key leakage under an asymmetric encryption method.

The above description is only an embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that are not thought of through the inventive work should be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope defined by the claims.

Claims (6)

1. A cloud computing based multi-factor bidirectional dynamic authentication encryption system is characterized in that: comprises an encryption system main body; the encryption system comprises a client module (1), a server module (2), an AS authentication service module (3), a KDC bill management service module (4) and a relational database storage module (5);

the relational database storage module (5) is respectively connected with the AS authentication service module (3) and the KDC bill management service module (4); the AS authentication service module (3), the KDC bill management service module (4), the client module (1) and the server module (2) are connected with each other;

the client module (1) is used for authenticating login to the AS authentication service module (3), ensuring that a user is unique in the system by reporting fingerprint information of the user, distributing bills by the KDC bill management service module (4), and subsequently performing data communication encryption and decryption on the bills distributed by the KDC bill management service module (4) and the server;

the server side module (2) is used for authenticating login to the AS authentication service module (3), reporting fingerprint information of a server to ensure that a user is unique in the system, distributing bills by the KDC bill management service module (4), and subsequently performing data communication encryption and decryption by using the bills distributed by the KDC bill management service module (4) and a client;

the AS authentication service module (3) is used for authenticating the login of a client and a server and confirming the identity;

the KDC bill management service module (4) is used for distributing bills to the client and the server, managing the life cycle of the bills and informing the client and the server to update the bills;

and the relational database storage module (5) is used for storing the bill data and the identity information of the client and the server.

2. The cloud computing-based multi-factor bidirectional dynamic authentication encryption system according to claim 1, wherein: the client module (1) comprises a PC end, an Android end and an IOS end; the server side module (2) comprises a Windows side and a Linux side.

3. The cloud computing-based multi-factor bidirectional dynamic authentication encryption system according to claim 1, wherein: the encryption system main body adopts a distributed micro-service module to deploy application.

4. The cloud-computing-based multi-factor bidirectional dynamic authentication encryption system according to claim 3, wherein: replacing a kerberos timestamp by a synchronization variable N by a kerberos in the distributed microservices module; the kerberos adopts a public key technology; a fixed Master Key is used to simplify the service Key.

5. The cloud-computing-based multi-factor bidirectional dynamic authentication encryption system according to claim 3, wherein: the correctness of the authentication bill arranged in the KDC bill management service module (4) is based on network clock synchronization.

6. A cloud computing-based multi-factor bidirectional dynamic authentication encryption method is characterized by comprising the following steps:

the method comprises the following steps: the client login is authenticated through AS login, namely a user mailbox + TGS name + user password md5 encrypts (timestamp) -KRB _ AS _ REQ;

step two: after receiving the request, the AS finds the Master Key of the client through the mailbox provided by the user and finds the TGS Master Key through the TGS name;

step three: the AS generates a random encryption key Kc-Tgs (client and TGS communication authentication dynamic key);

step four: encrypting Kc-Tgs by using a Client Master Key and encrypting Kc-Tgs by using a TGS Master Key respectively;

step five: the first share is Tgs _ principal and timestamp + Kc-Tgs encrypted using Client Master Key (Tc, Tgs);

step six: secondly, encrypting the client _ private and the timestamp + Kc-Tgs by using TGS Master Key (Ttgs, c) - -KRB _ AS _ REP;

step seven: after receiving the data, the client decrypts Tc by using the Master Key of the client, and Tgs obtains Kc-Tgs + Tgs _ principal + timestamp;

step eight: the client side verifies whether the request is sent by the tgs server;

step nine: obtaining a Kc-Tgs random key after verification;

step ten: the decrypted ticket is stored (the ticket is used to apply for accessing service to the TGS within the subsequent validity period);

step eleven: the client generates an authentication factor Authenticator (timestamp + client _ private + c _ check _ sum signature);

step twelve: encrypting the Authenticator using the random key Kc-Tgs;

step thirteen: sending the encrypted Authenticator + Ttgs, c + Server _ primary + timestamp to TGS-KRB _ TGS _ REQ;

fourteen steps: the TGS decrypts the Ttgs, c to obtain Kc, TGS by using the Master Key of the TGS after receiving the request, and decrypts the Authenticator by using the Kc, TGS;

step fifteen: the information sent by the client is authenticated, and the guarantee request is sent by the client;

sixthly, the steps are as follows: then TGS generates a session key Kc, s of the client and the server;

seventeen steps: copying the session key by two parts;

eighteen steps: the first encrypts Tc, s by using the session key Kc, s, the server _ private and the timestamp between Kc and tgs; the second part encrypts the Kc, s session key, the client _ private and the timestamp by using a server Master key;

nineteen steps: TGS responds the two bills to client-KRB _ TGS _ REP;

twenty steps: after the client receives the two bills, the client uses Kc, tgs to solve Tc, s to obtain Kc, s

Twenty one: then generating an authentication factor Authenticator (timeStamp + Ts, c _ checkSum);

step twenty-two: encrypting the Authenticator using the obtained Kc, s;

twenty-three steps: finally, the Authenticator and the obtained second Ts, c are sent to the Server-KRB _ AP _ REQ;

twenty-four steps: the server decrypts Ts, c to obtain Kc, s by using the Master Key of the server after receiving the request;

twenty-five steps: then, decrypting the content acquired by the Authenticator by using Kc, s;

twenty-six steps: the data content is read after the client is authenticated;

twenty-seven steps: the data acquired after the authentication is finished is responded to the client-KRB _ AP _ REP by using the Kc, s + timestamp;

twenty-eight steps: after receiving the message, the client can normally communicate with the server.

Images