摘要
统一身份认证授权系统是基于Kerberos协议实现的单点登陆系统.Kerberos协议以时间为依据进行票据超时的判断,它要求系统内所有用户时间同步,容易受到重放攻击.同时,Kerberos协议要求记录用户状态,而目前WEB环境中广泛应用的HTTP协议是具有无状态特性的.系统根据当前WEB环境的特性进行了相关改进,以客户端浏览器插件和HttpSession的方法成功解决了上述的两个问题,通过构造独立的认证服务器、票据服务器和客户端程序来完成用户身份的认证与授权操作的单点登陆系统,提高校园网的安全性.
Unified Identity Authentication and Authorization Service System (UIAAS) is a system of single sign on, based on the Kerberos protocol. Since the security of Kerberos authentication is in part based upon the time stamps of tickets,if clocks are not synchronized on Kerberos servers,replay attacks may arise. In addition,Ker- heros protocol requests for state records of the servers, while HTI^P, which operates under WEB environment, is a stateless protocol. Regarding to the defects of the Kerberos protocol, this article proposes a resolution by making relative improvement of WEB environment and using recording bill plug in the client-side browser as well as Ht- tp Session. Building a system of single sign on combining an independent Authentication Server (AS), a Ticket Granting Server (TGS) and a Client Program to deal with the user's identity authentication and authorization, the security of the campus network can be improved.
出处
《广州大学学报(自然科学版)》
CAS
2010年第4期18-22,共5页
Journal of Guangzhou University:Natural Science Edition
基金
广东省自然科学基金博士启动项目(06300905)
广东省信息安全技术重点实验室开放基金资助
