Shulou(Shulou.com)06/01 Report--

Recently, I debugged the SSO function of vmware identity manager product at work. I had the opportunity to understand how Kerberos works in depth and jotted it down for future review.

What Kerberos is, see wiki- https://en.wikipedia.org/wiki/Kerberos_(protocol). Kerberos is a network authentication protocol that provides secure authentication between client and server programs by using secret key encryption. For example, Microsoft Windows 2000 and later system authentication processes are based on Kerberos.

Kerberos is a legendary three-headed dog that guards hell in Greek mythology. It seems that there is also a three-headed dog in Harry Potter. The three heads represent the three parties in the Kerberos protocol, Client,Server and KDC.

Image source: http://mccltd.net/blog/? p=1053

There are a lot of descriptions of Kerberos protocol on the Internet, http://blog.csdn.net/wulantian/article/details/42418231 This blog is more thorough and in-depth, but I am afraid it is still relatively brain-burning after reading it, and I am afraid I will forget it after a long time. The introduction to Kerberos in this article will use a simple example to help you understand Kerberos authentication in broad terms, rather than in specific protocol details.

Let's assume a scenario. During the war years, there were two underground workers, Zhang San and Li Si, who were sent to do secret work somewhere. Now, Zhang San had found Li Si, the owner of the tavern, to cover his identity. What Zhang San had to do now was to prove to Li Si that he was Zhang San and not fishing for law enforcement. This was a typical authentication process.

So how? Zhang San and Li Si's agency had long designed the authentication process for them. The agency here was the KDC in the Kerberos protocol, such as Microsoft's AD domain server. Before the two people set off, each person was given a key (corresponding to the user password or password hash value), and the dispatched office also kept a spare key (the password or password hash value of each domain user was stored on the AD domain server). Zhang San and Li Si correspond to client and server respectively.

1. Zhang San should report to the dispatched agency: I want to connect with Li Si, give me a joint code.

2. After receiving Zhang San's request to connect with Li Si, the agency sent two small boxes to Zhang San, and locked them, which could only be opened with their own keys.

Inside the first box was a slip of paper with the secret code: Pagoda River-Suppressing Demon. Zhang San's key can open this box

There were two pieces of paper in the second box. One piece of paper also had the password: Pagoda Suppressing River Demon. The second note read: The visitor is Zhang San. Only Li Si's key can open the box. Zhang San couldn't open the box. Make sure Zhang San didn't tamper with the contents inside.

3. After Zhang San received the two small boxes, he opened the first small box with his own key and saw the joint code: Pagoda River Demon.

4. Then Zhang San took the second box to Li Si, who opened the tavern. When he saw Li Si, Zhang San handed the second box to Li Si and said the secret code: Pagoda River Demon, and declared himself Zhang San.

5. Li Si opened Zhang San's box with his own key and saw that the joint password was Pagoda Town River Demon. Then he saw another note that said the person was Zhang San. Yeah, it all fits. He is Zhang San, so let's put some wine on the table and talk about the next work arrangement.

This example is used to illustrate the basic working principle of Kerberos, although the Kerberos protocol is much more complex than this example. So please don't be serious. What if I lose my keys? What if someone drops a bag from a small box? These are the issues that Kerberos addresses further, and you need to look at the details of Kerberos for yourself.

About the author: Sam Zhao, EUC Solutions Manager. 13 years of IT experience in software development, testing, project management, five patents published and one co-authored book

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.