=Start=<\/p>\n\n\n\n
\u6700\u8fd1\u5728\u5b66\u4e60 Kerberos \u534f\u8bae\u7684\u65f6\u5019\u4ed4\u7ec6\u770b\u4e86\u4e00\u4e0b\u7531 Bill Bryant \u5199\u4e8e 1988 \u5e74\u7684\u6587\u7ae0 Designing an Authentication System: a Dialogue in Four Scenes<\/a>\uff0c\u8be5\u6587\u7ae0\u901a\u8fc74\u573a\u5bf9\u8bdd\u5c06\u8bbe\u8ba1\u4e00\u4e2a\u8ba4\u8bc1\u7cfb\u7edf\u4e2d\u9700\u8981\u9762\u4e34\u7684\u5178\u578b\u95ee\u9898\u90fd\u63d0\u4e86\u51fa\u6765\uff0c\u5e76\u9488\u5bf9\u5176\u4e2d\u7684\u5927\u90e8\u5206\u95ee\u9898\u63d0\u4f9b\u4e86\u53ef\u884c\u7684\u89e3\u51b3\u65b9\u6848\u548c\u601d\u8def\u3002\u867d\u7136\u6587\u7ae0\u5199\u7684\u65e9\uff0c\u5f53\u65f6\u4e5f\u4e3b\u8981\u662f\u4e3a\u4e86\u8ba9\u4eba\u4eec\u66f4\u5bb9\u6613\u7406\u89e3 Kerberos \u534f\u8bae\uff08V4\u7248\u672c\uff09\u505a\u7684\u63cf\u8ff0\uff0c\u4f46\u6309\u7167\u6587\u7ae0\u6574\u7406\u4eba\u7684\u8bf4\u6cd5\u2014\u2014\u5176\u4e2d\u4f53\u73b0\u51fa\u7684\u6838\u5fc3\u601d\u60f3\u548cV5\u7248\u672c\u57fa\u672c\u4e00\u81f4\uff0c\u9664\u4e86\u5c11\u91cf\u533a\u522b\u4e4b\u5916\u3002<\/p>\n\n\n\n \u901a\u8fc7\u8ddf\u7740\u6587\u4e2d Athena \u7684\u601d\u8def\u9010\u6b65\u6df1\u5165\uff0c\u4f1a\u66f4\u5bb9\u6613\u7406\u89e3 Kerberos \u7b49\u8eab\u4efd\u8ba4\u8bc1\u534f\u8bae\u7684\u4f5c\u7528\u548c\u8bbe\u8ba1\u539f\u7406\uff0c\u5bf9\u4e0d\u4e86\u89e3\u5e95\u5c42\u903b\u8f91\u7684\u4eba\u6765\u8bf4\u5e2e\u52a9\u5f88\u5927\uff0c\u503c\u5f97\u82b1\u65f6\u95f4\u601d\u8003\u548c\u5b66\u4e60\u3002<\/p>\n\n\n\n Designing an Authentication System: a Dialogue in Four Scenes\u6b63\u6587\uff1a<\/h4>\n\n\n\n
\u53c2\u8003\u89e3\u7b54\uff1a<\/h5>\n\n\n\n
\u7cbe\u7b80\u603b\u7ed3\uff1a\n\n# Scene I - \u573a\u666f\u4e00\n\n>>> \u683c\u5b50\u95f4\u91cc\u7684\u7b2c\u4e00\u6b21\u76f8\u9047\uff0cAthena \u5411 Euripides \u62b1\u6028\u5206\u65f6\u7cfb\u7edf\u7684\u7f3a\u9677\uff08\u5982\u679c\u5f53\u524d\u5df2\u767b\u5f55\u7684\u4eba\u6570\u6ee1\u4e86\uff0c\u65b0\u7684\u7528\u6237\u5c31\u65e0\u6cd5\u767b\u5f55\uff0c\u4e5f\u5c31\u65e0\u6cd5\u6b63\u5e38\u5de5\u4f5c\u4ece\u800c\u5f71\u54cd\u6548\u7387\uff09\uff0c\u540c\u65f6\u63d0\u51fa\u4e00\u4e2a\u5979\u7684\u613f\u666f\u2014\u2014\u6bcf\u4e2a\u4eba\u90fd\u80fd\u6709\u81ea\u5df1\u7684\u5de5\u4f5c\u7ad9\uff0c\u540c\u65f6\u6253\u5370\/\u90ae\u4ef6\/\u6587\u4ef6\u5b58\u50a8\u7b49\u516c\u7528\u529f\u80fd\u7531\u4e13\u804c\u670d\u52a1\u5668\u6765\u627f\u62c5\u3002Euripides \u6307\u51fa Athena \u60f3\u6cd5\u4e0d\u6210\u719f\u7684\u5730\u65b9\u2014\u2014\u6ca1\u6709\u8ba4\u8bc1\u7cfb\u7edf\uff0c\u5bfc\u81f4\u7f51\u7edc\u4e0a\u7684\u670d\u52a1\u5668\u4e0d\u80fd\u77e5\u9053\u8c01\u662f\u8c01\uff0c\u56e0\u6b64\u80fd\u591f\u5192\u7528\u8eab\u4efd\u505a\u4e00\u4e9b\u4e0d\u53ef\u63a7\u7684\u6076\u610f\u884c\u4e3a\u3002\uff08Athena\u4f1a\u56de\u53bb\u601d\u8003\u65b0\u7684\u65b9\u6848\u6765\u89e3\u51b3\u5bf9\u8bdd\u4e2d\u63d0\u5230\u7684\u5404\u79cd\u8bbe\u8ba1\u7f3a\u9677\uff0c\u76f4\u5230\u80fd\u57fa\u672c\u6ee1\u8db3\u8981\u6c42\uff09\n\n# Scene II - \u573a\u666f\u4e8c\n\n>>> Athena \u56de\u53bb\u4e4b\u540e\u66f4\u65b0\u4e86\u4e00\u4e0b\u5979\u7684\u8bbe\u8ba1\uff0c\u5176\u4e2d\u5305\u542b\u51e0\u4e2a\u7279\u70b9\uff1a\n\n1. \u7528\u6237\u5411\u670d\u52a1\u53d1\u8d77\u8bf7\u6c42\u4ee5\u5b9e\u73b0\u7279\u5b9a\u529f\u80fd\u5e76\u4e0d\u662f\u7531\u7528\u6237\u76f4\u63a5\u53d1\u8d77\uff0c\u800c\u662f\u7531\u4e00\u4e2aagent\u4ee3\u7406\u53d1\u8d77\uff0c\u8fd9\u4e2aagent\u4ee3\u7406\u662f\u8fd9\u4e2a\u670d\u52a1\u7684\u5ba2\u6237\u7aef\uff0c\u4e13\u95e8\u7528\u6765\u505a\u6b64\u9879\u5de5\u4f5c\u7684\uff1b\n2. \u5728\u8fd9\u4e2a\u8ba4\u8bc1\u7cfb\u7edf\u4e2d\uff0c\u4e0d\u4ec5\u7528\u6237\u6709\u5bc6\u7801\uff0c\u670d\u52a1\u4e5f\u6709\u5bc6\u7801\uff0c\u800c\u8ba4\u8bc1\u7cfb\u7edf Charon \u77e5\u9053\u6240\u6709\u7684\u5bc6\u7801\uff0c\u5bc6\u7801\u5b58\u50a8\u5728\u5355\u4e2a\u96c6\u4e2d\u5f0f\u6570\u636e\u5e93\u4e2d\uff1b\n3. \u8ba4\u8bc1\u7cfb\u7edf\u6d41\u7a0b\u6982\u8ff0\uff1a\u5f53\u4f60\u8981\u4f7f\u7528\u67d0\u4e2a\u670d\u52a1A\u65f6\uff0c\u5148\u5411 Charon \u63d0\u4f9b\u4f60\u7684\u8d26\u53f7\u5bc6\u7801\uff0c\u7136\u540e\u5b83\u5728\u5185\u90e8\u8fdb\u884c\u5339\u914d\uff0c\u82e5\u80fd\u5339\u914d\u6210\u529f\uff0c\u5219\u8ba4\u4e3a\u4f60\u7684\u8eab\u4efd\u5f97\u5230\u4e86\u8bc1\u5b9e\uff0c\u5e76\u7ed9\u4f60\u53d1\u9001\u4e00\u4e2a\u7968\u8bc1 ticketA(enc{username}) \uff0c\u91cc\u9762\u5305\u542b\u4f7f\u7528\u670d\u52a1A\u7684\u5bc6\u7801\u52a0\u5bc6\u7684\u7528\u6237\u540d\uff1b\u7136\u540e\u4f60\u62ff\u7740\u521a\u9881\u53d1\u7684\u7968\u8bc1 ticketA \u5411\u670d\u52a1A\u53d1\u8d77\u8bf7\u6c42\uff0c\u670d\u52a1A\u63a5\u6536\u5230 ticketA \u4e4b\u540e\u5c1d\u8bd5\u7528\u81ea\u5df1\u7684\u5bc6\u7801\u8fdb\u884c\u89e3\u5bc6\uff0c\u82e5\u89e3\u5bc6\u6210\u529f\u4e14 username \u548c\u53d1\u8d77\u8bf7\u6c42\u7684\u4e3a\u540c\u4e00\u4e2a\u8d26\u53f7\uff0c\u5219\u4f1a\u6309\u7167\u9700\u6c42\u6b63\u5e38\u63d0\u4f9b\u670d\u52a1\uff1b\n\n4. \u7ecf\u5efa\u8bae\uff0c\u5728\u7968\u8bc1 ticket \u4e2d\u6dfb\u52a0\u4e00\u4e2a servicename \u4f1a\u6709\u52a9\u4e8e\u670d\u52a1\u5224\u65ad\u662f\u5426\u89e3\u5bc6\u6210\u529f\uff0c\u5373 ticket(enc{username,servicename}) \uff1b\n5. \u7ecf\u5efa\u8bae\uff0c\u518d\u6dfb\u52a0\u4e00\u4e2a ip_address \u4fe1\u606f\u53ef\u4ee5\u652f\u6301\u548c\u8bf7\u6c42\u53d1\u8d77\u4eba\u7684 ip_address \u4fe1\u606f\u505a\u6bd4\u5bf9\uff0c\u9632\u6b62\u7968\u8bc1\u88ab\u76d7\u7528\uff0c\u5373 ticket(enc{username,ip_address,servicename}) \uff1b\n6. \u9664\u6b64\u4e4b\u5916\u8fd8\u6709\u4e00\u4e9b\u95ee\u9898\u6ca1\u6709\u89e3\u51b3\uff0c\u6bd4\u5982\u6bcf\u6b21\u60f3\u7528\u4e00\u4e2a\u65b0\u670d\u52a1\u65f6\u90fd\u9700\u8981\u91cd\u590d\u8f93\u5165\u8d26\u53f7\u5bc6\u7801\uff0c\u8fd9\u79cd\u65b9\u5f0f\u4e0d\u5b89\u5168\uff0c\u7528\u6237\u4f53\u9a8c\u4e5f\u5f88\u5dee\u3002\n\n>>> \u4e0a\u9762\u7684\u8fd9\u4e2a\u8bbe\u8ba1\u5df2\u7ecf\u548c\u73b0\u5728\u5e38\u89c4\u7684\u8d26\u53f7\u5bc6\u7801\u8ba4\u8bc1\u65b9\u5f0f\u5f88\u50cf\u4e86\uff0c\u76f8\u6bd4\u800c\u8a00\u6709\u5176\u4f18\u70b9\uff08\u7c7b\u4f3cSSO\u7684\u591a\u670d\u52a1\u590d\u7528\u540c\u4e00\u5bc6\u7801\uff09\u4e5f\u6709\u7f3a\u70b9\uff08\u6bcf\u6b21\u90fd\u8f93\u5165\u5bc6\u7801\uff0c\u7968\u8bc1\u5bb9\u6613\u88ab\u76d7\u7528\uff09\uff0c\u6574\u4f53\u6bd4\u8f83\u7b80\u5355\u548c\u521d\u7ea7\u3002\n\n# Scene III - \u573a\u666f\u4e09\n\n>>> \u573a\u666f\u4e09\u6bd4\u524d\u4e24\u4e2a\u573a\u666f\u8fdb\u884c\u4e86\u66f4\u591a\u7684\u8ba8\u8bba\uff0c\u8bbe\u8ba1\u4e5f\u968f\u7740\u8ba8\u8bba\u7684\u6df1\u5165\u8fdb\u884c\u4e86\u66f4\u591a\u7684\u66f4\u6539\uff1a\n\n>>> Athena \u5c06\u4e4b\u524d Euripides \u63d0\u5230\u7684\u51e0\u4e2a\u95ee\u9898\u8f6c\u6362\u6210\u4e86\u4e00\u4e9b\u7cfb\u7edf\u7684\u57fa\u672c\u8981\u6c42\uff1a\n\n>>> 1. \u7528\u6237\u53ea\u9700\u5728\u5de5\u4f5c\u7ad9\u4f1a\u8bdd\u5f00\u59cb\u65f6\u8f93\u5165\u4e00\u6b21\u5bc6\u7801\u2014\u2014\u8fd9\u662f\u901a\u8fc7\u65b0\u53d1\u660e\u4e00\u4e2a ticket-granting \u670d\u52a1\u6765\u5b9e\u73b0\u7684\uff0c\u5b83\u4f1a\u5411\u901a\u8fc7\u8eab\u4efd\u8ba4\u8bc1\u7684\u7528\u6237\u53d1\u653e\u4e00\u4e2a TGT(ticket-granting ticket,\u7968\u8bc1\u6388\u4e88\u7968\u8bc1)\uff0c\u8fd9\u4e2a\u65b0\u670d\u52a1\u5176\u5b9e\u662f Charon \u7684\u4e00\u90e8\u5206\uff0c\u5b83\u53ef\u4ee5\u8ba9\u4f60\u540e\u9762\u4f7f\u7528 TGT \u800c\u4e0d\u662f\u5bc6\u7801\u6765\u8bc1\u5b9e\u81ea\u5df1\u7684\u8eab\u4efd\uff1b\n\n>>> 2. \u5bc6\u7801\u4e0d\u5e94\u4ee5\u660e\u6587\u5f62\u5f0f\u901a\u8fc7\u7f51\u7edc\u53d1\u9001\u2014\u2014\u5f53\u4f60\u4f7f\u7528 kinit \u7a0b\u5e8f\u83b7\u53d6 TGT-\u7968\u8bc1\u6388\u4e88\u7968\u8bc1 \u65f6\uff0ckinit \u4e0d\u4f1a\u5c06\u4f60\u7684\u5bc6\u7801\u53d1\u9001\u5230 Charon \u670d\u52a1\u5668\uff0ckinit \u53ea\u4f1a\u53d1\u9001\u4f60\u7684\u7528\u6237\u540d\uff0c\u7136\u540e Charon \u4f7f\u7528\u63a5\u6536\u5230\u7684\u7528\u6237\u540d\u6765\u67e5\u627e\u5bc6\u7801\uff0c\u627e\u5230\u4e86\u4e4b\u540e\u4f1a\u7528\u4f60\u7684\u5bc6\u7801\u5bf9\u7968\u8bc1\u4fe1\u606f\u8fdb\u884c\u52a0\u5bc6\u7136\u540e\u5c06\u5185\u5bb9\u8fd4\u56de\uff0c\u63a5\u6536\u5230\u8fd4\u56de\u4e4b\u540e kinit \u63d0\u793a\u4f60\u8f93\u5165\u4f60\u7684\u5bc6\u7801\uff0c\u8f93\u5165\u4e4b\u540e kinit \u5c1d\u8bd5\u7528\u4f60\u8f93\u5165\u7684\u5bc6\u7801\u89e3\u5bc6 TGT-\u7968\u8bc1\u6388\u4e88\u7968\u8bc1\uff0c\u82e5\u89e3\u5bc6\u6210\u529f\uff0c\u5219\u4f60\u5df2\u6210\u529f\u5411 Charon \u8bc1\u660e\u81ea\u5df1\u3002\u4f46\u662f\u63a5\u4e0b\u6765\u5982\u4f55\u7528 TGT \u6765\u751f\u6210 ST \u6ca1\u6709\u7ec6\u8bf4\uff0c\u5e94\u8be5\u662f\u590d\u7528\u4e0a\u9762\u573a\u666f\u4e8c\u4e2d\u7684\u90e8\u5206\u903b\u8f91\u3002\n\n>>> \u5230\u73b0\u5728\u8fd9\u4e2a\u9636\u6bb5\uff0c\u7528\u6237\u4f53\u9a8c\u5df2\u7ecf\u5f88\u597d\u4e86\u2014\u2014\u4f60\u53ea\u9700\u8981\u6b63\u786e\u8f93\u5165\u4e00\u6b21\u7528\u6237\u540d\u5bc6\u7801\uff08\u4e14\u5bc6\u7801\u8fd8\u4e0d\u4f1a\u901a\u8fc7\u7f51\u7edc\u4f20\u8f93\uff09\uff0c\u5c31\u80fd\u501f\u52a9\u65b0\u8bbe\u8ba1\u7684 ticket-granting \u670d\u52a1\u751f\u6210 TGT \u6765\u5b9e\u73b0\u540e\u7eed\u7684\u514d\u5bc6\u8bbf\u95ee\u3002\u4f46\u662f\u8fd9\u6837\u7684\u5b89\u5168\u98ce\u9669\u4e5f\u5f88\u5927\uff0c\u56e0\u4e3a\u73b0\u5728\u7684\u8bbe\u8ba1\u4e2d\u670d\u52a1\u7968\u636e(ST,service ticket)\u662f\u80fd\u591f\u91cd\u590d\u4f7f\u7528\u7684\uff0c\u5982\u679c\u670d\u52a1\u7968\u636e\u88ab\u7a83\u53d6\u4e86\uff0c\u90a3\u4f60\u5728\u8fd9\u4e9b\u670d\u52a1\u4e2d\u7684\u8eab\u4efd\u4e5f\u5c31\u88ab\u7a83\u53d6\u4e86\u3002\u6240\u4ee5\u9700\u8981\u7ed9\u670d\u52a1\u7968\u636e\u6dfb\u52a0\u4e00\u4e9b\u989d\u5916\u4fe1\u606f\u6765\u9650\u5236\u670d\u52a1\u7968\u636e\u7684\u6709\u6548\u671f\u3002\u73b0\u5728\u670d\u52a1\u7968\u636e\u7684\u683c\u5f0f\u662f enc{username:ip_address:servicename:lifespan:timestamp} \u3002\u4f46\u5373\u4fbf\u662f\u8fd9\u6837\u4e5f\u6709\u4e00\u4e9b\u95ee\u9898\uff0c\u6bd4\u5982\u6709\u6548\u671f\u5185\u7684\u91cd\u653e\u653b\u51fb\u7b49\u3002\n\n# Scene IV - \u573a\u666f\u56db\n\n>>> \u5728\u4e0a\u4e00\u5e55\u7684\u8ba8\u8bba\u7ed3\u675f\u65f6\u6709\u4e00\u4e2a\u660e\u786e\u7684\u9057\u7559\u95ee\u9898\u2014\u2014\u670d\u52a1\u7968\u636e(ST)\u5728\u6709\u6548\u671f\u5185\u7684\u91cd\u653e\u653b\u51fb\uff0c\u5bf9\u8fd9\u4e2a\u95ee\u9898 Athena \u5c06\u95ee\u9898\u5f52\u7ed3\u4e3a\u2014\u2014\u670d\u52a1\u5982\u4f55\u5224\u65ad\u4f7f\u7528\u7968\u636e\u7684\u4eba\u4e0e\u771f\u5b9e\u7968\u636e\u6240\u6709\u4eba\u662f\u540c\u4e00\u4e2a\uff1f\uff08\u5b9e\u9645\u4e0a\u8fd9\u5e76\u4e0d\u80fd\u89e3\u51b3\u91cd\u653e\u653b\u51fb\u7684\u95ee\u9898\uff0c\u89e3\u51b3\u91cd\u653e\u9700\u8981\u589e\u52a0\u4e00\u4e2a\u8ba1\u6570\u5668\uff0c\u8ba9\u76f8\u5173authenticator\u4e0d\u80fd\u91cd\u590d\u4f7f\u7528\uff09\n\n>>> Athena \u56de\u6eaf\u4e86\u4e00\u4e0b\u8eab\u4efd\u8ba4\u8bc1\u7684\u8fc7\u7a0b\uff0c\u8bd5\u56fe\u4ece\u4e2d\u627e\u5230\u89e3\u51b3\u601d\u8def\uff0c\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u7aef\u4ea4\u4e92\u65f6\u53d1\u9001\u7684\u5185\u5bb9\u4e3a username,ip_address,ticket(enc{username:ip_address:servicename:lifespan:timestamp}) \u8fd9\u91cc\u9762ticket\u662f\u7528\u670d\u52a1\u7684\u5bc6\u7801\u8fdb\u884c\u52a0\u5bc6\u751f\u6210\u7684\u5185\u5bb9\uff0c\u4e5f\u5c31\u53ea\u6709\u670d\u52a1\u80fd\u89e3\u5f00\u3002\u670d\u52a1\u63a5\u5230ticket\u4e4b\u540e\u6b63\u5e38\u89e3\u5f00\u53ef\u4ee5\u62ff\u5230\u7528\u6237\u540d\u3001\u7f51\u7edc\u5730\u5740\u3001\u670d\u52a1\u540d\u79f0\u548c\u6709\u6548\u671f\u505a\u6bd4\u5bf9\uff0c\u8fd9\u4e9b\u6821\u9a8c\u505a\u5b8c\u4e4b\u540e\u6700\u591a\u53ea\u80fd\u8bf4\u660eticket\u662f Charon \u7b7e\u53d1\u7684\uff0c\u4f46\u8bf4\u660e\u4e0d\u4e86\u7968\u662f\u4e0d\u662f\u771f\u7684\u6765\u81ea\u4e8e\u7968\u7684\u5b9e\u9645\u62e5\u6709\u4eba\uff0c\u56e0\u4e3a\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u7aef\u4e4b\u95f4\u5f53\u524d\u6ca1\u6709\u66f4\u591a\u4e92\u76f8\u5171\u4eab\u7684\u4fe1\u606f\u4e86\u3002\u89e3\u51b3\u7684\u529e\u6cd5\u5c31\u662f\u589e\u52a0\u4e00\u4e2a\u53ea\u6709\u5b83\u4eec\u4e24\u8005\u624d\u77e5\u9053\u7684\u4f1a\u8bdd\u5bc6\u94a5(sessionkey)\u3002\n\n>>> \u4f46\u662f Charon \u5982\u4f55\u5c06\u4f1a\u8bdd\u5bc6\u94a5\u5206\u53d1\u7ed9\u7528\u6237\u548c\u670d\u52a1\u662f\u4e2a\u95ee\u9898\u3002\u4e00\u5f00\u59cb Athena \u60f3\u7684\u662f\u2014\u2014\u76f4\u63a5\u5728 Charon \u7ed9\u7528\u6237\u7684\u56de\u590d\u4e2d\u540c\u65f6\u63d0\u4f9b\u4f1a\u8bdd\u5bc6\u94a5\u548c\u7968\u8bc1 enc_by_userkey{sessionkey:ticket} \u5185\u5bb9\u901a\u8fc7\u7528\u6237\u5bc6\u7801\u8fdb\u884c\u52a0\u5bc6\uff1b\u7ed9\u670d\u52a1\u5206\u53d1\u4f1a\u8bdd\u5bc6\u94a5\u662f\u901a\u8fc7\u628a\u4f1a\u8bdd\u5bc6\u94a5\u5305\u542b\u5728\u52a0\u5bc6\u7684\u7968\u8bc1\u91cc\u9762 ticket=enc_by_servicekey{sessionkey:username:ip_address:servicename:lifespan:timestamp} \uff0c\u7528\u6237\u53ef\u4ee5\u5728\u7528\u81ea\u5df1\u7684\u5bc6\u7801\u89e3\u5bc6\u8fd4\u56de\u7684\u5185\u5bb9\u4e4b\u540e\u62ff\u5230 sessionkey \uff0c\u7136\u540e\u5c06 ticket \u5728\u540e\u9762\u7684\u8bf7\u6c42\u4e2d\u76f4\u63a5\u8f6c\u53d1\u7ed9\u670d\u52a1\uff0c\u670d\u52a1\u62ff\u81ea\u5df1\u7684\u5bc6\u7801\u89e3\u5bc6\u4e4b\u540e\u53ef\u4ee5\u770b\u5230\u548c\u7528\u6237\u4e00\u6837\u7684 sessionkey \uff0c\u8fd9\u6837\u5c31\u5b8c\u6210\u4e86\u53ea\u6709\u7528\u6237\u548c\u670d\u52a1\u624d\u77e5\u9053\u7684 sessionkey \u7684\u5206\u53d1\u3002\n\n>>> \u5f53\u4f60\u60f3\u83b7\u5f97\u4e00\u9879\u670d\u52a1\u65f6\uff0c\u5ba2\u6237\u7aef\u4f1a\u5148\u6784\u5efa\u4e00\u4e2a AUTHENTICATOR-\u8eab\u4efd\u9a8c\u8bc1\u5668 \uff0c\u5b83\u91cc\u9762\u5305\u542b\u7528\u6237\u540d\u548c\u7f51\u7edc\u5730\u5740\uff0c\u5e76\u4f7f\u7528\u4e0a\u9762\u7684\u4f1a\u8bdd\u5bc6\u94a5\u52a0\u5bc6 enc_by_sessionkey{username:ip_address} \uff0c\u7136\u540e\u5c06\u5176\u548c\u521a\u624d\u89e3\u5bc6\u63d0\u53d6\u51fa\u7684 ticket \u4e00\u8d77\u53d1\u9001\u5230\u670d\u52a1\u7aef\uff0c\u8be5\u670d\u52a1\u4e00\u5f00\u59cb\u8fd8\u65e0\u6cd5\u89e3\u5bc6\u8eab\u4efd\u9a8c\u8bc1\u5668\uff0c\u56e0\u4e3a\u5b83\u6ca1\u6709\u4f1a\u8bdd\u5bc6\u94a5\u3002\u8be5\u4f1a\u8bdd\u5bc6\u94a5\u5728\u7968\u8bc1ticket\u4e2d\uff0c\u56e0\u6b64\u670d\u52a1\u9996\u5148\u89e3\u5bc6\u7968\u8bc1ticket\u3002\u89e3\u5bc6\u7968\u8bc1\u4e4b\u540e\uff0c\u82e5\u7968\u8bc1\u8fd8\u5728\u6709\u6548\u671f\u5185\uff0c\u624d\u4f1a\u7528\u521a\u624d\u5f97\u5230\u7684\u4f1a\u8bdd\u5bc6\u94a5\u6765\u89e3\u5bc6\u8eab\u4efd\u9a8c\u8bc1\u5668\u3002\u5982\u679c\u89e3\u5bc6\u987a\u5229\u8fdb\u884c\uff0c\u5219\u670d\u52a1\u4f1a\u62ff\u5230\u5176\u4e2d\u7684\u7528\u6237\u540d\u548c\u7f51\u7edc\u5730\u5740\u3002\u670d\u52a1\u4f1a\u6839\u636e\u7968\u8bc1\u4e2d\u7684\u59d3\u540d\u548c\u5730\u5740\u4ee5\u53ca\u53d1\u9001\u7968\u8bc1\u7684\u4eba\u7684\u59d3\u540d\u548c\u5730\u5740\u4ee5\u53ca\u4ece\u8eab\u4efd\u9a8c\u8bc1\u5668\u4e2d\u63d0\u53d6\u7684\u4fe1\u606f\u6765\u8fdb\u884c\u9a8c\u8bc1\u3002\u5982\u679c\u4e00\u5207\u90fd\u5339\u914d\uff0c\u5219\u670d\u52a1\u5df2\u786e\u5b9a\u7968\u8bc1\u53d1\u9001\u8005\u786e\u5b9e\u662f\u7968\u8bc1\u7684\u771f\u6b63\u6240\u6709\u8005\u3002\n\n>>> \u4f46\u5373\u4fbf\u662f\u4e0a\u9762\u8fd9\u79cd\u8bbe\u8ba1\u4e5f\u65e0\u6cd5\u5b8c\u5168\u89e3\u51b3\u91cd\u653e\u7684\u95ee\u9898\uff0c\u56e0\u4e3a\u653b\u51fb\u8005\u53ef\u4ee5\u540c\u65f6\u76d1\u542c\u7a83\u53d6 ticket \u548c authenticator \uff0c\u7136\u540e\u518d\u9488\u5bf9\u6027\u7684\u4fee\u6539\u5b83\u7684 username+ip_address \u5c31\u53ef\u4ee5\u5728\u7968\u8bc1\u7684\u6709\u6548\u671f\u5185\u5b8c\u6210\u91cd\u653e\u653b\u51fb\u3002\u5373\u4fbf\u662f\u7ed9 authenticator-\u8eab\u4efd\u9a8c\u8bc1\u5668 \u91cc\u9762\u6dfb\u52a0\u8fc7\u671f\u65f6\u95f4\u7b49\u4fe1\u606f\uff0c\u4e5f\u53ea\u662f\u964d\u4f4e\u4e86\u88ab\u91cd\u653e\u653b\u51fb\u7684\u53ef\u80fd\u4f46\u5e76\u6ca1\u6709\u4ece\u6e90\u5934\u4e0a\u89e3\u51b3\u95ee\u9898\u3002\u771f\u6b63\u6709\u6548\u7684\u529e\u6cd5\u662f\u589e\u52a0\u4e00\u4e2a\u68c0\u67e5\uff0c\u8ba9\u8eab\u4efd\u9a8c\u8bc1\u5668\u53ea\u53ef\u4f7f\u7528\u4e00\u6b21\u800c\u4e0d\u80fd\u88ab\u91cd\u590d\u4f7f\u7528\uff08\u4e0d\u8fc7\u5bf9\u8bdd\u4e2d\u6700\u540e\u5e76\u6ca1\u6709\u91c7\u7528\uff0c\u8fd9\u4e2a\u95ee\u9898\u5728 Kerberos V5 \u4e2d\u5f97\u5230\u4e86\u89e3\u51b3\uff09\u3002\n\nI'll state the problem by way of contrast. Without session keys and authenticators, Charon can protect its servers from false users, but it cannot protect its users from false servers. The system needs a way for client programs to authenticate the server before sending sensitive information to the service. The system must allow for mutual authentication.\n\u5982\u679c\u6ca1\u6709 \u4f1a\u8bdd\u5bc6\u94a5-sessionkey \u548c \u8eab\u4efd\u9a8c\u8bc1\u5668-authenticator \uff0cCharon \u53ea\u80fd\u4fdd\u62a4\u670d\u52a1\u514d\u53d7\u865a\u5047\u7528\u6237\u7684\u5e72\u6270\uff0c\u4f46\u5b83\u6ca1\u6cd5\u4fdd\u62a4\u7528\u6237\u88ab\u865a\u5047\u670d\u52a1\u6b3a\u9a97\uff0c\u8ba4\u8bc1\u7cfb\u7edf\u9700\u8981\u4e00\u4e2a\u65b9\u6cd5\u80fd\u8ba9client\u5728\u53d1\u9001\u654f\u611f\u4fe1\u606f\u5230\u670d\u52a1\u4e4b\u524d\u9a8c\u8bc1\u670d\u52a1\u8eab\u4efd\u7684\u80fd\u529b\uff0c\u4e5f\u5373\u8ba9 client \u548c service \u4e92\u76f8\u80fd\u8fdb\u884c\u53cc\u5411\u8ba4\u8bc1\u3002\n\n\u4f1a\u8bdd\u5bc6\u94a5-sessionkey \u89e3\u51b3\u4e86\u8fd9\u4e2a\u95ee\u9898\uff08\u5982\u679c\u8bbe\u8ba1\u5f97\u5f53\u7684\u8bdd\uff09\uff0cclient \u7528 sessionkey \u5bf9\u8981\u53d1\u9001\u7ed9 service \u7684\u5185\u5bb9\u8fdb\u884c\u52a0\u5bc6\uff0c\u5408\u6cd5\u7684 service \u624d\u6709 sessionkey \u80fd\u6b63\u786e\u89e3\u5bc6\u8bf7\u6c42\uff08\u901a\u8fc7\u8fd9\u4e00\u6b65service\u9a8c\u8bc1\u4e86client\u7684\u8eab\u4efd\uff0c\u56e0\u4e3a\u5b83\u6709sessionkey\uff09\uff1b\u7136\u540e service \u7528 sessionkey \u5c06\u8981\u8fd4\u56de\u7684\u4fe1\u606f\u8fdb\u884c\u52a0\u5bc6\uff0cclient \u62ff\u5230\u52a0\u5bc6\u4fe1\u606f\u4e4b\u540e\u53ef\u4ee5\u7528 sessionkey \u89e3\u5bc6\uff0c\u8fd9\u65f6\u53ef\u4ee5\u8bc1\u660e service \u4e5f\u662f\u5408\u6cd5\u7684\uff0c\u4ece\u800c\u5b8c\u6210\u4e86\u53cc\u5411\u8ba4\u8bc1\u3002<\/code><\/pre>\n\n\n\n# \u6458\u8981\n\n\u8fd9\u6bb5\u5bf9\u8bdd\u865a\u6784\u4e86\u4e00\u4e2a\u540d\u4e3a\u201cCharon\u201d\u7684\u5f00\u653e\u7f51\u7edc\u8eab\u4efd\u9a8c\u8bc1\u7cfb\u7edf\u7684\u8bbe\u8ba1\u3002\u968f\u7740\u5bf9\u8bdd\u7684\u8fdb\u884c\uff0cAthena\u548cEuripides\u53d1\u73b0\u4e86\u5f00\u653e\u7f51\u7edc\u73af\u5883\u4e2d\u56fa\u6709\u7684\u5b89\u5168\u95ee\u9898\u3002\u6bcf\u4e2a\u95ee\u9898\u90fd\u5fc5\u987b\u5728Charon\u7684\u8bbe\u8ba1\u4e2d\u5f97\u5230\u89e3\u51b3\uff0c\u8bbe\u8ba1\u4e5f\u5f97\u5230\u76f8\u5e94\u5730\u53d1\u5c55\u3002Athena\u548cEuripides\u76f4\u5230\u5bf9\u8bdd\u7ed3\u675f\u624d\u5b8c\u6210\u4ed6\u4eec\u7684\u5de5\u4f5c\uff08\u4e0d\u8fc7\u5728\u9632\u91cd\u653e\u653b\u51fb\u7684\u95ee\u9898\u4e0a\u8fd8\u662f\u5b58\u5728\u7f3a\u9677\uff0c\u4e0d\u8fc7\u5728\u5f53\u65f6\u800c\u8a00\u5df2\u7ecf\u57fa\u672c\u591f\u7528\u4e86\uff09\u3002\n\n\u5f53\u4ed6\u4eec\u5b8c\u6210\u7cfb\u7edf\u7684\u8bbe\u8ba1\u540e\uff0cAthena\u5c06\u7cfb\u7edf\u7684\u540d\u79f0\u66f4\u6539\u4e3a\u201cKerberos\u201d\uff0c\u975e\u5e38\u5de7\u5408\u7684\u662f\uff0c\u8fd9\u4e2a\u540d\u79f0\u662f\u5728MIT\u7684Athena\u9879\u76ee\u4e2d\u8bbe\u8ba1\u548c\u5b9e\u73b0\u7684\u8ba4\u8bc1\u7cfb\u7edf\u7684\u540d\u79f0\u3002\u5bf9\u8bdd\u4e2d\u7684\u201cKerberos\u201d\u7cfb\u7edf\u4e0e\u57281988\u5e74\u5fb7\u514b\u8428\u65af\u5dde\u8fbe\u62c9\u65af\u51ac\u5b63USENIX\u5927\u4f1a\u4e0a\u4ecb\u7ecd\u7684 Kerberos: An Authentication Service for Open Network Systems \u4e2d\u63cf\u8ff0\u7684\u7cfb\u7edf\u60ca\u4eba\u5730\u76f8\u4f3c\u3002\n\n# \u4eba\u7269\u4ecb\u7ecd\n\nAthena \u4e00\u4e2a\u6709\u524d\u9014\u7684\u7cfb\u7edf\u5f00\u53d1\u4eba\u5458(an up and coming system developer.)\nEuripides \u4e00\u4e2a\u7ecf\u9a8c\u4e30\u5bcc\u7684\u5f00\u53d1\u4eba\u5458\u548c\u5e38\u9a7b\u602a\u4eba(a seasoned developer and resident crank.)\n\n# Scene I - \u573a\u666f\u4e00\n\n>>> \u683c\u5b50\u95f4\u91cc\u7684\u7b2c\u4e00\u6b21\u76f8\u9047\uff0cAthena \u5411 Euripides \u62b1\u6028\u5206\u65f6\u7cfb\u7edf\u7684\u7f3a\u9677\uff08\u5982\u679c\u5f53\u524d\u5df2\u767b\u5f55\u7684\u4eba\u6570\u6ee1\u4e86\uff0c\u65b0\u7684\u7528\u6237\u5c31\u65e0\u6cd5\u767b\u5f55\uff09\uff0c\u540c\u65f6\u63d0\u51fa\u4e00\u4e2a\u5979\u7684\u613f\u666f\u2014\u2014\u6bcf\u4e2a\u4eba\u90fd\u80fd\u6709\u81ea\u5df1\u7684\u5de5\u4f5c\u7ad9\uff0c\u540c\u65f6\u6253\u5370\/\u90ae\u4ef6\/\u6587\u4ef6\u5b58\u50a8\u7b49\u516c\u7528\u529f\u80fd\u7531\u4e13\u804c\u670d\u52a1\u5668\u6765\u627f\u62c5\u3002Euripides \u6307\u51fa Athena \u60f3\u6cd5\u4e0d\u6210\u719f\u7684\u5730\u65b9\u2014\u2014\u6ca1\u6709\u8ba4\u8bc1\u7cfb\u7edf\uff0c\u5bfc\u81f4\u7f51\u7edc\u4e0a\u7684\u670d\u52a1\u5668\u4e0d\u80fd\u77e5\u9053\u8c01\u662f\u8c01\uff0c\u56e0\u6b64\u80fd\u591f\u5192\u7528\u8eab\u4efd\u505a\u4e00\u4e9b\u4e0d\u53ef\u63a7\u7684\u6076\u610f\u884c\u4e3a\u3002\uff08Athena\u4f1a\u56de\u53bb\u601d\u8003\u65b0\u7684\u65b9\u6848\u6765\u89e3\u51b3\u5bf9\u8bdd\u4e2d\u63d0\u5230\u7684\u5404\u79cd\u8bbe\u8ba1\u7f3a\u9677\uff0c\u76f4\u5230\u80fd\u57fa\u672c\u6ee1\u8db3\u8981\u6c42\uff09\n\n\u683c\u5b50\u95f4\u91cc\uff0cAthena \u548c Euripides \u6b63\u5728\u76f8\u90bb\u7684\u5de5\u4f4d\u5de5\u4f5c\u3002\n\nAthena: \u563f\uff0c\u5927\u54e5\uff0c\u8fd9\u4e2a\u5206\u65f6\u7cfb\u7edf\u771f\u662f\u4e2a\u7d2f\u8d58\u3002\u6211\u4ec0\u4e48\u5de5\u4f5c\u90fd\u5e72\u4e0d\u4e86\uff0c\u56e0\u4e3a\u5176\u4ed6\u4eba\u90fd\u5df2\u767b\u5f55\u4e86\u3002\nEuripides: \u4e0d\u8981\u5411\u6211\u62b1\u6028\u3002\u6211\u53ea\u5728\u8fd9\u91cc\u5de5\u4f5c\u3002\n\nAthena: \u4f60\u77e5\u9053\u6211\u4eec\u9700\u8981\u4ec0\u4e48\u5417\uff1f\u6211\u4eec\u9700\u8981\u4e3a\u6bcf\u4e2a\u4eba\u63d0\u4f9b\u81ea\u5df1\u7684\u5de5\u4f5c\u7ad9\uff0c\u8fd9\u6837\u4ed6\u4eec\u5c31\u4e0d\u5fc5\u62c5\u5fc3\u5171\u4eab\u8ba1\u7b97\u5468\u671f\u3002\u540c\u65f6\u6211\u4eec\u5c06\u4f7f\u7528\u7f51\u7edc\u8fde\u63a5\u6240\u6709\u5de5\u4f5c\u7ad9\uff0c\u8fd9\u6837\u4eba\u4eec\u5c31\u53ef\u4ee5\u76f8\u4e92\u4ea4\u6d41\u3002 You know what we need? We need to give everyone their own workstation so they don't have to worry about sharing computer cycles. And we'll use a network to connect all the workstations so folks can communicate with one another.\nEuripides: \u7f8e\u597d\u7684\u613f\u671b\u3002\u90a3\u4e48\u6211\u4eec\u9700\u8981\u4ec0\u4e48\uff0c\u5927\u7ea6\u4e00\u5343\u4e2a\u5de5\u4f5c\u7ad9\uff1fFine. So what do we need, about a thousand workstations?\n\nAthena: \u5dee\u4e0d\u591a\u5427\u3002More or less.\nEuripides: \u4f60\u89c1\u8fc7\u5178\u578b\u5de5\u4f5c\u7ad9\u78c1\u76d8\u9a71\u52a8\u5668\u7684\u5927\u5c0f\u5417\uff1f\u5206\u65f6\u673a\u5668\u4e0a\u751a\u81f3\u90fd\u6ca1\u6709\u8db3\u591f\u7684\u7a7a\u95f4\u6765\u88c5\u4e0b\u6240\u6709\u7684\u8f6f\u4ef6\u3002 Have you seen the size of a typical workstation's disk drive? There isn't enough room for all the software that you have on a timesharing machine.\n\nAthena: \u6211\u5df2\u7ecf\u60f3\u8fc7\u4e86\u3002\u6211\u4eec\u53ef\u4ee5\u5728\u5404\u79cd\u670d\u52a1\u5668\u4e0a\u4fdd\u7559\u7cfb\u7edf\u8f6f\u4ef6\u7684\u526f\u672c\u3002\u5f53\u4f60\u767b\u5f55\u5230\u5de5\u4f5c\u7ad9\u65f6\uff0c\u5de5\u4f5c\u7ad9\u901a\u8fc7\u4e0e\u5176\u4e2d\u4e00\u53f0\u670d\u52a1\u5668\u5efa\u7acb\u7f51\u7edc\u8fde\u63a5\u6765\u8bbf\u95ee\u7cfb\u7edf\u8f6f\u4ef6\u3002\u8fd9\u79cd\u8bbe\u7f6e\u8ba9\u4e00\u5927\u7fa4\u5de5\u4f5c\u7ad9\u4f7f\u7528\u76f8\u540c\u7684\u7cfb\u7edf\u8f6f\u4ef6\u526f\u672c\uff0c\u5e76\u4e14\u4f7f\u8f6f\u4ef6\u66f4\u65b0\u53d8\u5f97\u65b9\u4fbf\u3002\u4f60\u4e0d\u5fc5\u56db\u5904\u8d70\u52a8\u5230\u6bcf\u4e2a\u5de5\u4f5c\u7ad9\u3002\u53ea\u9700\u4fee\u6539\u7cfb\u7edf\u8f6f\u4ef6\u670d\u52a1\u5668\u3002 I figured that out already. We can keep copies of the system software on various server machines. When you login to a workstation, the workstation accesses the system software by making a network connection with one of the servers. This setup lets a whole bunch of workstations use the same copy of the system software, and it makes software updates convenient. You don't have to trundle around to each workstation. Just modify the system software servers.\nEuripides: \u597d\u7684\u3002\u4f60\u6253\u7b97\u600e\u4e48\u5904\u7406\u4e2a\u4eba\u6587\u4ef6\uff1f\u4f7f\u7528\u5206\u65f6\u7cfb\u7edf\uff0c\u6211\u53ef\u4ee5\u4ece\u4efb\u4f55\u8fde\u63a5\u5230\u7cfb\u7edf\u7684\u7ec8\u7aef\u767b\u5f55\u5e76\u8bbf\u95ee\u6211\u7684\u6587\u4ef6\u3002\u6211\u53ef\u4ee5\u8d70\u5230\u4efb\u4f55\u5de5\u4f5c\u7ad9\u5e76\u81ea\u52a8\u83b7\u53d6\u6211\u7684\u6587\u4ef6\u5417\uff1f\u8fd8\u662f\u6211\u5fc5\u987b\u50cf PC \u7528\u6237\u4e00\u6837\u5c06\u6587\u4ef6\u4fdd\u5b58\u5728\u8f6f\u76d8\u4e0a\uff1f\u6211\u5e0c\u671b\u4e0d\u662f\u8fd9\u6837\u3002 All right. What are you going to do about personal files? With a timesharing system I can login and get to my files from any terminal that is connected to the system. Will I be able to walk up to any workstation and automatically get to my files? Or do I have to make like a PC user and keep my files on diskette? I hope not.\n\nAthena: \u6211\u8ba4\u4e3a\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u5176\u4ed6\u673a\u5668\u6765\u63d0\u4f9b\u4e2a\u4eba\u6587\u4ef6\u5b58\u50a8\u3002\u4f60\u53ef\u4ee5\u767b\u5f55\u5230\u4efb\u4f55\u5de5\u4f5c\u7ad9\u5e76\u8bbf\u95ee\u4f60\u7684\u6587\u4ef6\u3002 I think we can use other machines to provide personal file storage. You can login to any workstation and get to your files.\nEuripides: \u6253\u5370\u5462\uff1f\u6bcf\u4e2a\u5de5\u4f5c\u7ad9\u90fd\u9700\u8981\u6709\u81ea\u5df1\u7684\u6253\u5370\u673a\u5417\uff1f\u4f60\u51c6\u5907\u7528\u8c01\u7684\u94b1\u6765\u8fd9\u4e48\u529e\uff1f\u8fd8\u6709\u7535\u5b50\u90ae\u4ef6\u5462\uff1f\u4f60\u51c6\u5907\u600e\u4e48\u5c06\u90ae\u4ef6\u5206\u53d1\u5230\u6240\u6709\u8fd9\u4e9b\u5de5\u4f5c\u7ad9\uff1f What about printing? Does every workstation have its own printer? Whose money are you spending anyway? And what about electronic mail? How are you going to distribute mail to all these workstations?\n\nAthena: \u55ef\u2026\u2026\u5f88\u660e\u663e\uff0c\u6211\u4eec\u6ca1\u6709\u8db3\u591f\u7684\u94b1\u7ed9\u6bcf\u4e2a\u4eba\u5206\u914d\u4e00\u53f0\u6253\u5370\u673a\uff0c\u4f46\u6211\u4eec\u53ef\u4ee5\u6709\u4e13\u95e8\u7528\u4e8e\u6253\u5370\u670d\u52a1\u7684\u673a\u5668\uff0c\u4f60\u5c06\u4f5c\u4e1a\u53d1\u9001\u5230\u6253\u5370\u670d\u52a1\u5668\uff0c\u5b83\u4f1a\u4e3a\u4f60\u6253\u5370\u3002\u90ae\u4ef6\u6536\u53d1\u4e5f\u4e00\u6837\uff0c\u5b89\u6392\u4e00\u53f0\u4e13\u95e8\u7528\u4e8e\u90ae\u4ef6\u670d\u52a1\u7684\u673a\u5668\u3002\u4f60\u60f3\u8981\u4f60\u7684\u90ae\u4ef6\uff0c\u4f60\u8054\u7cfb\u90ae\u4ef6\u670d\u52a1\u5668\u7136\u540e\u5b83\u4f1a\u628a\u4f60\u7684\u90ae\u4ef6\u53d1\u7ed9\u4f60\u3002 Ah . . . Well obviously we don't have the cash to give everyone a printer, but we could have machines dedicated to print service. You send a job to a print server, and it prints it for you. You could do sort of the same thing with mail. Have a machine dedicated to mail service. You want your mail, you contact the mail server and pick up your mail.\nEuripides: \u4f60\u7684\u5de5\u4f5c\u7ad9\u7cfb\u7edf\u542c\u8d77\u6765\u5f88\u4e0d\u9519\u3002\u5f53\u6211\u62ff\u5230\u6211\u7684\u90ae\u4ef6\uff0c\u4f60\u77e5\u9053\u63a5\u4e0b\u6765\u6211\u8981\u505a\u4ec0\u4e48\u5417\uff1f\u6211\u4f1a\u627e\u51fa\u4f60\u7684\u7528\u6237\u540d\uff0c\u8ba9\u6211\u7684\u5de5\u4f5c\u7ad9\u8ba4\u4e3a\u6211\u662f\u4f60\u3002\u7136\u540e\u6211\u518d\u8054\u7cfb\u90ae\u4ef6\u670d\u52a1\u5668\u83b7\u53d6\u4f60\u7684\u90ae\u4ef6\u3002\u6211\u5c06\u8054\u7cfb\u4f60\u7684\u6587\u4ef6\u670d\u52a1\u5668\u5e76\u5220\u9664\u4f60\u7684\u6587\u4ef6\uff0c\u4ee5\u53ca\u4e00\u7cfb\u5217\u7684\u64cd\u4f5c\u2026\u2026 Your workstation system sounds really good Tina. When I get mine, you know what I'm going to do? I'm going to find out your username, and get my workstation to think that I am you. Then I'm going to contact the mail server and pick up your mail. I'm going to contact your file server and remove your files, and--\n\nAthena: \u4f60\u80fd\u505a\u5230\u5417\uff1f Can you do that?\nEuripides: \u5f53\u7136\uff01\u8fd9\u4e9b\u7f51\u7edc\u670d\u52a1\u5668\u600e\u4e48\u77e5\u9053\u6211\u4e0d\u662f\u4f60\uff1f Sure! How are these network servers going to know that I'm not you?\n\nAthena: \u54ce\uff0c\u6211\u4e0d\u77e5\u9053\u3002\u6211\u60f3\u6211\u9700\u8981\u505a\u4e00\u4e9b\u601d\u8003\u3002 Gee, I don't know. I guess I need to do some thinking.\nEuripides: \u542c\u8d77\u6765\u662f\u8fd9\u6837\uff0c\u5f53\u4f60\u60f3\u6e05\u695a\u4e86\u544a\u8bc9\u6211\u3002 Sounds like it. Let me know when you figure it out.\n\n\n# Scene II - \u573a\u666f\u4e8c\n\n>>> Athena \u60f3\u51fa\u4e86\u4e00\u4e2a\u8bbe\u8ba1\uff0c\u5176\u4e2d\u5305\u542b\u51e0\u4e2a\u7279\u70b9\uff1a\n>>> 1. \u7528\u6237\u5411\u670d\u52a1\u53d1\u8d77\u8bf7\u6c42\u4ee5\u5b9e\u73b0\u7279\u5b9a\u529f\u80fd\u5e76\u4e0d\u662f\u7531\u7528\u6237\u76f4\u63a5\u53d1\u8d77\uff0c\u800c\u662f\u7531\u4e00\u4e2aagent\u4ee3\u7406\u53d1\u8d77\uff0c\u8fd9\u4e2aagent\u4ee3\u7406\u662f\u8fd9\u4e2a\u670d\u52a1\u7684\u5ba2\u6237\u7aef\uff0c\u4e13\u95e8\u7528\u6765\u505a\u6b64\u9879\u5de5\u4f5c\u7684\uff1b\n>>> 2. \u4e0d\u4ec5\u7528\u6237\u6709\u5bc6\u7801\uff0c\u670d\u52a1\u4e5f\u6709\u5bc6\u7801\uff0c\u800c\u8ba4\u8bc1\u7cfb\u7edf Charon \u77e5\u9053\u6240\u6709\u7684\u5bc6\u7801\uff0c\u5bc6\u7801\u5b58\u50a8\u5728\u5355\u4e2a\u96c6\u4e2d\u5f0f\u6570\u636e\u5e93\u4e2d\uff1b\n>>> 3. \u7cfb\u7edf\u6d41\u7a0b\u6982\u8ff0\uff1a\u5f53\u4f60\u8981\u4f7f\u7528\u67d0\u4e2a\u670d\u52a1A\u65f6\uff0c\u5148\u5411 Charon \u63d0\u4f9b\u4f60\u7684\u8d26\u53f7\u5bc6\u7801\uff0c\u7136\u540e\u5b83\u5728\u5185\u90e8\u8fdb\u884c\u5339\u914d\uff0c\u82e5\u80fd\u5339\u914d\u6210\u529f\uff0c\u5219\u8ba4\u4e3a\u4f60\u7684\u8eab\u4efd\u5f97\u5230\u4e86\u8bc1\u5b9e\uff0c\u5e76\u7ed9\u4f60\u53d1\u9001\u4e00\u4e2a\u7968\u8bc1 ticketA(enc{username}) \uff0c\u91cc\u9762\u5305\u542b\u4f7f\u7528\u670d\u52a1A\u7684\u5bc6\u7801\u52a0\u5bc6\u7684\u7528\u6237\u540d\uff0c\u670d\u52a1A\u63a5\u5230\u7968\u8bc1 ticketA \u4e4b\u540e\u7528\u81ea\u5df1\u7684\u5bc6\u7801\u8fdb\u884c\u89e3\u5bc6\uff0c\u82e5\u89e3\u5bc6\u6210\u529f\u4e14 username \u548c\u53d1\u8d77\u8bf7\u6c42\u7684\u4e3a\u540c\u4e00\u4e2a\u8d26\u53f7\uff0c\u5219\u4f1a\u6309\u7167\u9700\u6c42\u6b63\u5e38\u63d0\u4f9b\u670d\u52a1\uff1b\n>>> 4. \u7ecf\u5efa\u8bae\uff0c\u5728\u7968\u8bc1 ticket \u4e2d\u6dfb\u52a0\u4e00\u4e2a service name \u4f1a\u6709\u52a9\u4e8e\u670d\u52a1\u5224\u65ad\u662f\u5426\u89e3\u5bc6\u6210\u529f\uff0c\u5373 ticket(enc{username,servicename}) \uff1b\n>>> 5. \u7ecf\u5efa\u8bae\uff0c\u518d\u6dfb\u52a0\u4e00\u4e2a ip_address \u4fe1\u606f\u53ef\u4ee5\u652f\u6301\u548c\u8bf7\u6c42\u53d1\u8d77\u4eba\u7684 ip_address \u4fe1\u606f\u505a\u6bd4\u5bf9\uff0c\u9632\u6b62\u7968\u8bc1\u88ab\u76d7\u7528\uff0c\u5373 ticket(enc{username,ip_address,servicename}) \uff1b\n>>> 6. \u9664\u6b64\u4e4b\u5916\u8fd8\u6709\u4e00\u4e9b\u95ee\u9898\u6ca1\u6709\u89e3\u51b3\uff0c\u6bd4\u5982\u6bcf\u6b21\u60f3\u7528\u4e00\u4e2a\u65b0\u670d\u52a1\u65f6\u90fd\u9700\u8981\u91cd\u590d\u8f93\u5165\u8d26\u53f7\u5bc6\u7801\uff0c\u8fd9\u79cd\u65b9\u5f0f\u4e0d\u5b89\u5168\uff0c\u7528\u6237\u4f53\u9a8c\u4e5f\u5f88\u5dee\u3002\n>>> \u4e0a\u9762\u7684\u8fd9\u4e2a\u8bbe\u8ba1\u5df2\u7ecf\u548c\u73b0\u5728\u5e38\u89c4\u7684\u8d26\u53f7\u5bc6\u7801\u8ba4\u8bc1\u65b9\u5f0f\u5f88\u50cf\u4e86\uff0c\u76f8\u6bd4\u800c\u8a00\u6709\u5176\u4f18\u70b9\uff08\u7c7b\u4f3cSSO\u7684\u591a\u670d\u52a1\u590d\u7528\u540c\u4e00\u5bc6\u7801\uff09\u4e5f\u6709\u7f3a\u70b9\uff08\u6bcf\u6b21\u90fd\u8f93\u5165\u5bc6\u7801\uff09\uff0c\u6bd4\u8f83\u7b80\u5355\u548c\u521d\u7ea7\u3002\n\n\n\u7b2c\u4e8c\u5929\u65e9\u6668\u5728 Euripides \u7684\u529e\u516c\u5ba4\u91cc\uff0cEuripides \u6b63\u5750\u5728\u4e66\u684c\u524d\u770b\u4ed6\u7684\u4fe1\u4ef6\u3002Athena \u6572\u4e86\u6572\u95e8\u3002\n\nAthena: \u6211\u5df2\u7ecf\u60f3\u5230\u4e86\u8be5\u5982\u4f55\u4fdd\u62a4\u4e00\u4e2a\u5f00\u653e\u7684\u7f51\u7edc\u73af\u5883\uff08\u7684\u65b9\u6cd5\uff09\uff0c\u8fd9\u6837\u50cf\u4f60\u8fd9\u6837\u4e0d\u9053\u5fb7\u7684\u4eba\u5c31\u4e0d\u80fd\u4ee5\u5176\u4ed6\u4eba\u7684\u540d\u4e49\u4f7f\u7528\u7f51\u7edc\u670d\u52a1\u3002 Well I've figured out how to secure an open network environment so that unscrupulous folks like you cannot use network services in other people's names.\nEuripides: \u771f\u7684\u5417\uff1f\u8ba9\u6211\u4eec\u5750\u4e0b\u6765\u804a\u4e00\u804a\u3002 Is that so? Have a seat.\n\nAthena \u5750\u4e86\u4e0b\u6765\u3002\n\nAthena: \u5728\u6211\u8fdb\u884c\u63cf\u8ff0\u4e4b\u524d\uff0c\u6211\u53ef\u4ee5\u4e3a\u8fd9\u4e2a\u8ba8\u8bba\u5236\u5b9a\u4e00\u4e2a\u57fa\u672c\u89c4\u5219\u5417\uff1f Before I describe it, can I lay down one ground rule about this discussion?\nEuripides: \u4f60\u7684\u89c4\u5219\u662f\u4ec0\u4e48\uff1f What's your rule?\n\nAthena: \u5047\u8bbe\u5f53\u6211\u8bf4\uff1a\u201c\u6211\u60f3\u8981\u6211\u7684\u7535\u5b50\u90ae\u4ef6\uff0c\u6240\u4ee5\u6211\u8054\u7cfb\u90ae\u4ef6\u670d\u52a1\u5668\u5e76\u8981\u6c42\u5b83\u5c06\u90ae\u4ef6\u53d1\u9001\u5230\u6211\u7684\u5de5\u4f5c\u7ad9\u3002\u201d\u5b9e\u9645\u4e0a\uff0c\u6211\u4e0d\u662f\u76f4\u63a5\u8054\u7cfb\u90ae\u4ef6\u670d\u52a1\u5668\u7684\u5b9e\u4f53\uff0c\u800c\u662f\u4f7f\u7528\u4e00\u4e2a\u7a0b\u5e8f\u6765\u8054\u7cfb\u90ae\u4ef6\u670d\u52a1\u5668\u5e76\u68c0\u7d22\u6211\u7684\u90ae\u4ef6\uff0c\u8be5\u7a0b\u5e8f\u662f\u90ae\u4ef6\u670d\u52a1\u7a0b\u5e8f\u7684\u5ba2\u6237\u7aef\u3002\u4f46\u662f\u6211\u4e0d\u60f3\u6bcf\u6b21\u63d0\u5230\u7528\u6237\u548c\u7f51\u7edc\u670d\u52a1\u5668\u4e4b\u95f4\u7684\u4e8b\u52a1\u65f6\u90fd\u8bf4\u201c\u5ba2\u6237\u7aef\u505a\u67d0\u4e8b\u201d\u3002\u6211\u53ea\u60f3\u8bf4\u201c\u6211\u505a\u67d0\u4e8b\u201d\uff0c\u5f53\u7136\u8981\u8bb0\u4f4f\u5ba2\u6237\u7aef\u7a0b\u5e8f\u6b63\u5728\u4ee3\u8868\u6211\u505a\u4e8b\u3002\u8fd9\u6837\u4f60\u89c9\u5f97\u53ef\u4ee5\u5417\uff1f\nWell suppose I say something like the following: \"I want my electronic mail, so I contact the mail server and ask it to send the mail to my workstation.\" In reality I'm not the entity that contacts the mail server. I'm using a program to contact the mail server and retrieve my mail, a program that is a CLIENT of the mail service program.\n\nBut I don't want to say \"the client does such-and-such\" every time I refer to a transaction between the user and a network server. I'd just as soon say \"I do such-and-such,\" keeping in mind of course that a client program is doing things on my behalf. Is that okay with you?\n\nEuripides: \u53ef\u4ee5\uff0c\u6ca1\u95ee\u9898\u3002 Sure. No problem.\n\nAthena: \u597d\u7684\u3002\u6211\u5c06\u9996\u5148\u8bf4\u660e\u6211\u5df2\u89e3\u51b3\u7684\u95ee\u9898\u3002\u5728\u5f00\u653e\u7684\u7f51\u7edc\u73af\u5883\u4e2d\uff0c\u63d0\u4f9b\u670d\u52a1\u7684\u673a\u5668\u5fc5\u987b\u80fd\u591f\u786e\u8ba4\u8bf7\u6c42\u670d\u52a1\u7684\u4eba\u7684\u8eab\u4efd\u3002\u5982\u679c\u6211\u8054\u7cfb\u90ae\u4ef6\u670d\u52a1\u5668\u5e76\u7d22\u8981\u6211\u7684\u90ae\u4ef6\uff0c\u670d\u52a1\u7a0b\u5e8f\u5fc5\u987b\u80fd\u591f\u9a8c\u8bc1\u6211\u662f\u6211\u58f0\u79f0\u7684\u90a3\u4e2a\u4eba\uff0c\u5bf9\u5417\uff1f Good. All right, I'll begin by stating the problem I have solved. In an open network environment, machines that provide services must be able to confirm the identities of people who request service. If I contact the mail server and ask for my mail, the service program must be able to verify that I am who I claim to be, right?\nEuripides: \u662f\u7684\u3002 Right.\n\nAthena: \u4f60\u53ef\u4ee5\u901a\u8fc7\u8981\u6c42\u90ae\u4ef6\u670d\u52a1\u5668\u5728\u6211\u4f7f\u7528\u5b83\u4e4b\u524d\u8981\u6c42\u8f93\u5165\u5bc6\u7801\u6765\u7b28\u62d9\u5730\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u3002\u6211\u901a\u8fc7\u5411\u670d\u52a1\u5668\u63d0\u4f9b\u6211\u7684\u5bc6\u7801\u6765\u8bc1\u660e\u6211\u662f\u8c01\u3002 You could solve the problem clumsily by requiring the mail server to ask for a password before I could use it. I prove who I am to the server by giving it my password.\nEuripides: \u8fd9\u6837\u505a\u5f88\u7b28\u62d9\u3002\u5728\u8fd9\u6837\u7684\u7cfb\u7edf\u4e2d\uff0c\u6bcf\u4e2a\u670d\u52a1\u5668\u90fd\u5fc5\u987b\u77e5\u9053\u4f60\u7684\u5bc6\u7801\u3002\u5982\u679c\u7f51\u7edc\u6709\u4e00\u5343\u4e2a\u7528\u6237\uff0c\u6bcf\u53f0\u670d\u52a1\u5668\u5fc5\u987b\u77e5\u9053\u4e00\u5343\u4e2a\u5bc6\u7801\u3002\u5982\u679c\u4f60\u60f3\u66f4\u6539\u5bc6\u7801\uff0c\u4f60\u5fc5\u987b\u8054\u7cfb\u6240\u6709\u670d\u52a1\u5668\u5e76\u901a\u77e5\u4ed6\u4eec\u66f4\u6539\u3002\u6211\u8ba4\u4e3a\u4f60\u7684\u7cfb\u7edf\u6ca1\u6709\u8fd9\u4e48\u611a\u8822\u3002 That's clumsy all right. In a system like that, every server has to know your password. If the network has one thousand users, each server has to know one thousand passwords. If you want to change your password, you have to contact all servers and notify them of the change. I take it your system isn't this stupid.\n\nAthena: \u6211\u7684\u7cfb\u7edf\u5e76\u4e0d\u611a\u8822\u3002\u5b83\u7684\u5de5\u4f5c\u539f\u7406\u662f\u8fd9\u6837\u7684\uff1a\u4e0d\u4ec5\u4eba\u6709\u5bc6\u7801\uff0c\u670d\u52a1\u4e5f\u6709\u5bc6\u7801\u3002\u6bcf\u4e2a\u7528\u6237\u90fd\u77e5\u9053\u5979\u6216\u4ed6\u7684\u5bc6\u7801\uff0c\u6bcf\u4e2a\u670d\u52a1\u7a0b\u5e8f\u90fd\u77e5\u9053\u81ea\u5df1\u7684\u5bc6\u7801\uff0c\u5e76\u4e14\u6709\u4e00\u4e2a AUTHENTICATION SERVICE \u77e5\u9053\u6240\u6709\u5bc6\u7801\u2014\u2014\u6bcf\u4e2a\u7528\u6237\u7684\u5bc6\u7801\uff0c\u4ee5\u53ca\u6bcf\u4e2a\u670d\u52a1\u7684\u5bc6\u7801\u3002\u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\u5c06\u5bc6\u7801\u5b58\u50a8\u5728\u5355\u4e2a\u96c6\u4e2d\u5f0f\u6570\u636e\u5e93\u4e2d\u3002 My system isn't stupid. It works like this: Not only do people have passwords, services have passwords too. Each user knows her or his password, each service program knows its password, and there's an AUTHENTICATION SERVICE that knows ALL passwords--each user's password, and each service's password. The authentication service stores the passwords in a single, centralized database.\nEuripides: \u8fd9\u4e2a\u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\u6709\u540d\u5b57\u5417\uff1f Do you have a name for this authentication service?\n\nAthena: \u6211\u8fd8\u6ca1\u6709\u60f3\u5230\u3002\u4f60\u6709\u4ec0\u4e48\u60f3\u6cd5\u5417\uff1f I haven't thought of one yet. Do you have any ideas?\nEuripides: \u90a3\u4e2a\u8fd0\u9001\u6b7b\u8005\u8fc7\u51a5\u6cb3\u7684\u5bb6\u4f19\u53eb\u4ec0\u4e48\u540d\u5b57\uff1f What's the name of that fellow who ferries the dead across the River Styx?\n\nAthena: Charon?\nEuripides: \u5bf9\uff0c\u5c31\u662f\u4ed6\u3002\u9664\u975e\u4f60\u80fd\u8bc1\u660e\u4f60\u7684\u8eab\u4efd\uff0c\u5426\u5219\u4ed6\u4e0d\u4f1a\u5e26\u4f60\u8fc7\u6cb3\u3002 Yeah, that's him. He won't take you across the river unless you can prove your identity.\n\nAthena: \u53bb\u4f60\u7684\uff0c\u4f60\u5728\u5c1d\u8bd5\u6539\u5199\u5e0c\u814a\u795e\u8bdd\u3002Charon \u5e76\u4e0d\u5728\u4e4e\u4f60\u7684\u8eab\u4efd\u3002\u4ed6\u53ea\u662f\u60f3\u786e\u5b9a\u4f60\u5df2\u7ecf\u6b7b\u4e86\u3002 There you go Rip, trying to rewrite Greek mythology again. Charon doesn't care about your identity. He just wants to make sure that you're dead.\nEuripides: \u4f60\u6709\u66f4\u597d\u7684\u540d\u5b57\u5417\uff1f Have you got a better name?\n\nPause.\nAthena: \u6ca1\uff0c\u8fd8\u6ca1\u6709\u3002 No, not really.\nEuripides: \u90a3\u8ba9\u6211\u4eec\u5c06\u8eab\u4efd\u9a8c\u8bc1\u670d\u52a1\u79f0\u4e3a\u201cCharon\u201d\u5427\u3002 Then let's call the authentication service \"Charon.\"\n\nAthena: \n\u597d\u7684\u3002\u6211\u60f3\u6211\u5e94\u8be5\u5177\u4f53\u63cf\u8ff0\u4e00\u4e0b\u7cfb\u7edf\u7684\u5de5\u4f5c\u539f\u7406\uff0c\u5bf9\u5427\uff1f Okay. I guess I should describe the system, huh?\n\n\u5047\u8bbe\u4f60\u60f3\u4f7f\u7528\u90ae\u4ef6\u670d\u52a1\uff0c\u5728\u6211\u7684\u7cfb\u7edf\u8bbe\u8ba1\u4e2d\uff0c\u9664\u975e Charon \u544a\u8bc9\u670d\u52a1\u4f60\u5c31\u662f\u4f60\u58f0\u79f0\u7684\u90a3\u4e2a\u4eba\u5426\u5219\u4f60\u5c31\u65e0\u6cd5\u4f7f\u7528\u8be5\u670d\u52a1\u3002\u9664\u975e\u4f60\u5411 Charon \u8bc1\u660e\u4e86\u81ea\u5df1\u7684\u8eab\u4efd\uff0c\u5426\u5219\u4f60\u65e0\u6cd5\u83b7\u5f97\u4f7f\u7528\u670d\u52a1\u7684\u8bb8\u53ef\u3002\u5f53\u4f60\u5411 Charon \u8bf7\u6c42\u8eab\u4efd\u9a8c\u8bc1\u65f6\uff0c\u4f60\u5fc5\u987b\u544a\u8bc9 Charon \u4f60\u60f3\u8981\u7684\u670d\u52a1\u3002\u5982\u679c\u4f60\u60f3\u4f7f\u7528\u90ae\u4ef6\u670d\u52a1\u5668\uff0c\u4f60\u5fc5\u987b\u660e\u786e\u544a\u8bc9 Charon\u3002\nLet's say you want to use a service, the mail service. In my system you cannot use a service unless, ah, Charon tells the service that you are who you claim to be. And you can't get the okay to use a service unless you have authenticated yourself to Charon. When you request authentication from Charon, you have to tell Charon the service for which you want the okay. If you want to use the mail server, you've got to tell Charon.\n\nCharon \u8981\u6c42\u4f60\u8bc1\u660e\u4f60\u7684\u8eab\u4efd\u3002\u4f60\u53ef\u4ee5\u901a\u8fc7\u63d0\u4f9b\u4f60\u7684\u5bc6\u7801\u6765\u505a\u5230\u8fd9\u4e00\u70b9\u3002Charon \u83b7\u53d6\u4f60\u7684\u5bc6\u7801\u5e76\u5c06\u5176\u4e0e\u5728 Charon \u6570\u636e\u5e93\u4e2d\u4e3a\u4f60\u6ce8\u518c\u7684\u5bc6\u7801\u8fdb\u884c\u6bd4\u8f83\u3002\u5982\u679c\u4e24\u4e2a\u5bc6\u7801\u5339\u914d\uff0cCharon \u8ba4\u4e3a\u4f60\u7684\u8eab\u4efd\u5df2\u5f97\u5230\u8bc1\u5b9e\u3002\nCharon asks you to prove your identity. You do so by providing your secret password. Charon takes your password and compares it to the one that is registered for you in the Charon database. If the two passwords match, Charon considers your identity proven.\n\nCharon \u73b0\u5728\u5fc5\u987b\u8ba9\u90ae\u4ef6\u670d\u52a1\u5668\u76f8\u4fe1\u4f60\u5c31\u662f\u4f60\u6240\u8bf4\u7684\u90a3\u4e2a\u4eba\u3002\u7531\u4e8e Charon \u77e5\u9053\u6240\u6709\u670d\u52a1\u5bc6\u7801\uff0c\u5b83\u77e5\u9053\u90ae\u4ef6\u670d\u52a1\u7684\u5bc6\u7801\u3002\u53ef\u4ee5\u60f3\u8c61\uff0cCharon \u53ef\u4ee5\u7ed9\u4f60\u5bc6\u7801\uff0c\u4f60\u53ef\u4ee5\u5c06\u5176\u8f6c\u53d1\u5230\u90ae\u4ef6\u670d\u52a1\uff0c\u4f5c\u4e3a\u4f60\u5df2\u5411 Charon \u9a8c\u8bc1\u81ea\u5df1\u7684\u8bc1\u660e\u3002\nCharon now has to convince the mail server that you are who you say you are. Since Charon knows all service passwords, it knows the mail service's password. It's conceivable that Charon could give you the password, which you could forward to the mail service as proof that you have authenticated yourself to Charon.\n\n\u95ee\u9898\u662f\uff0cCharon \u4e0d\u80fd\u76f4\u63a5\u7ed9\u4f60\u5bc6\u7801\uff0c\u56e0\u4e3a\u90a3\u6837\u4f60\u5c31\u77e5\u9053\u4e86\u3002\u4e0b\u6b21\u4f60\u60f3\u8981\u90ae\u4ef6\u65f6\uff0c\u4f60\u53ef\u4ee5\u7ed5\u8fc7 Charon \u76f4\u63a5\u4f7f\u7528\u90ae\u4ef6\u670d\u52a1\u5668\uff0c\u800c\u65e0\u9700\u8bc1\u660e\u4f60\u662f\u8c01\u3002\u4f60\u751a\u81f3\u53ef\u4ee5\u4f2a\u88c5\u6210\u5176\u4ed6\u4eba\uff0c\u5e76\u4ee5\u5176\u4ed6\u4eba\u7684\u540d\u4e49\u4f7f\u7528\u90ae\u4ef6\u670d\u52a1\u5668\u3002\nThe problem is, Charon cannot give you the password directly, because then you would know it. The next time you wanted mail, you could circumvent Charon and use the mail server without correctly identifying yourself. You could even pretend to be someone else, and use the mail server in that other person's name.\n\n\u56e0\u6b64\uff0cCharon \u4e0d\u4f1a\u7ed9\u4f60\u90ae\u4ef6\u670d\u52a1\u5668\u7684\u5bc6\u7801\uff0c\u800c\u662f\u7ed9\u4f60\u4e00\u4e2a\u90ae\u4ef6\u670d\u52a1 TICKET\u3002\u6b64\u7968\u8bc1\u5305\u542b\u5df2\u4f7f\u7528\u90ae\u4ef6\u670d\u52a1\u5668\u7684\u5bc6\u7801\u52a0\u5bc6\u7684\u7528\u6237\u540d\u4fe1\u606f\u3002\nSo instead of giving you the mail server's password, Charon gives you a mail service TICKET. This ticket contains a version of your username that has been ENCRYPTED USING the MAIL SERVER'S PASSWORD.\n\n\u62ff\u5230\u7968\u540e\uff0c\u4f60\u73b0\u5728\u53ef\u4ee5\u5411\u90ae\u4ef6\u670d\u52a1\u7d22\u8981\u4f60\u7684\u90ae\u4ef6\u3002\u4f60\u901a\u8fc7\u544a\u8bc9\u90ae\u4ef6\u670d\u52a1\u5668\u4f60\u662f\u8c01\u6765\u63d0\u51fa\u4f60\u7684\u8bf7\u6c42\uff0c\u5e76\u7528\u7968\u6765\u8bc1\u660e\u4f60\u5c31\u662f\u4f60\u6240\u8bf4\u7684\u90a3\u4e2a\u4eba\u3002\nTicket in hand, you can now ask the mail service for your mail. You make your request by telling the mail server who you are, and furnishing the ticket that proves you are who you say you are.\n\n\u670d\u52a1\u5668\u4f7f\u7528\u5b83\u81ea\u5df1\u7684\u5bc6\u7801\u89e3\u5bc6\u7968\u8bc1\uff0c\u5982\u679c\u7968\u8bc1\u6b63\u786e\u89e3\u5bc6\uff0c\u5219\u670d\u52a1\u5668\u4ee5 Charon \u653e\u7f6e\u5728\u7968\u8bc1\u4e2d\u7684\u7528\u6237\u540d\u7ed3\u675f\u3002\nThe server uses its password to decrypt the ticket, and if the ticket decrypts properly, the server ends up with the username that Charon placed in the ticket.\n\n\u8be5\u670d\u52a1\u5c06\u6b64\u7528\u6237\u540d\u4e0e\u4f60\u968f\u7968\u8bc1\u53d1\u9001\u7684\u7528\u6237\u540d\u8fdb\u884c\u6bd4\u8f83\u3002\u5982\u679c\u4e24\u8005\u5339\u914d\uff0c\u90ae\u4ef6\u670d\u52a1\u5668\u4f1a\u8ba4\u4e3a\u4f60\u7684\u8eab\u4efd\u5df2\u5f97\u5230\u8bc1\u5b9e\u5e76\u7ee7\u7eed\u5411\u4f60\u63d0\u4f9b\u90ae\u4ef6\u3002\nThe service compares this name with the name you sent along with the ticket. If the names match, the mail server considers your identity proven and proceeds to give you your mail.\n\n\u4f60\u8ba4\u4e3a\u8fd9\u4e2a\u529e\u6cd5\u600e\u4e48\u6837\uff1f\nWhat do you think of those apples?\n\nEuripides: \u6211\u6709\u4e00\u4e9b\u95ee\u9898\u3002 I've got some questions.\n\nAthena: \u731c\u5230\u5c31\u4f1a\u8fd9\u6837\uff0c\u4f60\u8bf4\u5427\u3002 I figured. Well go ahead.\nEuripides: \u5f53\u670d\u52a1\u7a0b\u5e8f\u89e3\u5bc6\u7968\u8bc1\u65f6\uff0c\u5b83\u5982\u4f55\u77e5\u9053\u5b83\u5df2\u6b63\u786e\u89e3\u5bc6\u7968\u8bc1\uff1f When a service program decrypts a ticket, how does it know that it has decrypted the ticket properly?\n\nAthena: \u6211\u4e0d\u77e5\u9053\u3002 I don't know.\nEuripides: \u4e5f\u8bb8\u4f60\u5e94\u8be5\u5728\u7968\u8bc1\u4e2d\u5305\u542b\u670d\u52a1\u7684\u540d\u79f0\u3002\u8fd9\u6837\uff0c\u5f53\u670d\u52a1\u89e3\u5bc6\u7968\u8bc1\u65f6\uff0c\u5b83\u53ef\u4ee5\u6839\u636e\u662f\u5426\u80fd\u5728\u89e3\u5bc6\u7968\u8bc1\u4e2d\u627e\u5230\u5176\u540d\u79f0\u6765\u8861\u91cf\u5176\u6210\u529f\u4e0e\u5426\u3002 Maybe you should include the service's name in the ticket. That way when a service decrypts a ticket, it can gauge its success on whether or not it can find its name in the decrypted ticket.\n\nAthena: \n\u542c\u8d77\u6765\u4e0d\u9519\u3002\u6240\u4ee5\u7968\u770b\u8d77\u6765\u50cf\u8fd9\u6837\uff08\u81f3\u5c11\u5305\u542b{username:servicename}\uff09\uff1a\nThat sounds good to me. So the ticket looks something like this:\n(She scrawls the following on a pad of paper:)\n TICKET - {username:servicename}\nEuripides: \u6240\u4ee5\u7968\u8bc1\u53ea\u5305\u542b\u7528\u6237\u540d\u548c\u670d\u52a1\u540d\u79f0\uff1f So the service ticket contains just your username and the servicename?\n\nAthena: \u7528\u670d\u52a1\u7684\u5bc6\u7801\u8fdb\u884c\u52a0\u5bc6\u3002 Encrypted with the service's password.\nEuripides: \u6211\u8ba4\u4e3a\u8fd9\u4e9b\u4fe1\u606f\u4e0d\u8db3\u4ee5\u786e\u4fdd\u7968\u8bc1\u5b89\u5168\u3002 I don't think that's enough information to make the ticket secure.\n\nAthena: \u90a3\u4f60\u7684\u610f\u601d\u662f\uff1f What do you mean?\nEuripides: \u5047\u8bbe\u4f60\u5411 Charon \u7533\u8bf7\u90ae\u4ef6\u670d\u52a1\u5668\u7684\u7968\u8bc1\u3002Charon \u51c6\u5907\u597d\u4e86\u7968\u8bc1\u2014\u2014\u5176\u4e2d\u5305\u542b\u4f60\u7684\u7528\u6237\u540d\u201ctina\u201d\u3002\u73b0\u5728\u5047\u8bbe\u6211\u590d\u5236\u90a3\u5f20\u7968\uff0c\u56e0\u4e3a\u5b83\u5728\u4ece Charon \u5230\u4f60\u7684\u7f51\u7edc\u4e2d\u98de\u9a70\u800c\u8fc7\u3002\u5047\u8bbe\u6211\u8ba9\u4e0d\u5b89\u5168\u7684\u5de5\u4f5c\u7ad9\u76f8\u4fe1\u6211\u7684\u7528\u6237\u540d\u662f\u201ctina\u201d\u3002\u6211\u5de5\u4f5c\u7ad9\u4e0a\u7684\u90ae\u4ef6\u5ba2\u6237\u7aef\u7a0b\u5e8f\u8ba4\u4e3a\u6211\u662f\u4f60\u3002\u7a0b\u5e8f\u4ee5\u4f60\u7684\u540d\u4e49\u5c06\u88ab\u76d7\u7684\u7968\u8bc1\u8f6c\u53d1\u5230\u90ae\u4ef6\u670d\u52a1\u5668\u3002\u670d\u52a1\u5668\u89e3\u5bc6\u7968\u8bc1\u5e76\u770b\u5230\u5b83\u662f\u6709\u6548\u7684\u3002\u7968\u8bc1\u4e2d\u7684\u7528\u6237\u540d\u4e0e\u53d1\u9001\u7968\u8bc1\u7684\u7528\u6237\u540d\u76f8\u5339\u914d\uff0c\u7136\u540e\u90ae\u4ef6\u670d\u52a1\u5668\u628a\u4f60\u7684\u90ae\u4ef6\u53d1\u7ed9\u4e86\u6211\u2026\u2026\nLet's suppose you ask Charon for a mail server ticket. Charon prepares that ticket so that it has your username \"tina\" in it. Suppose I copy that ticket as it wizzes by on its way across the network from Charon to you. Suppose I convince my insecure workstation that my username is \"tina.\" The mail client program on my workstation thinks I am you. In your name, the program forwards the stolen ticket to the mail server. The server decrypts the ticket and sees that it is valid. The username in the ticket matches the name of the user who sent the ticket. The mail server gives me your mail . . .\n\nAthena: \u54e6\uff01\u597d\u5427\uff0c\u90a3\u4e0d\u662f\u5f88\u597d\u3002 Oh! Well that's not so good.\nEuripides: \n\n\u4f46\u6211\u60f3\u6211\u77e5\u9053\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u7684\u65b9\u6cd5\uff0c\u6216\u8005\u81f3\u5c11\u5bf9\u5176\u63d0\u4f9b\u90e8\u5206\u4fee\u590d\u3002\u6211\u8ba4\u4e3a Charon \u5e94\u8be5\u5728\u5b83\u751f\u6210\u7684\u670d\u52a1\u7968\u636e\u4e2d\u5305\u542b\u66f4\u591a\u4fe1\u606f\u2014\u2014\u9664\u4e86\u7528\u6237\u540d\u4e4b\u5916\uff0c\u7968\u8bc1\u8fd8\u5e94\u5305\u62ec\u7528\u6237\u5411 Charon \u7533\u8bf7\u7968\u8bc1\u7684\u7f51\u7edc\u5730\u5740\u3002\u8fd9\u4e3a\u4f60\u63d0\u4f9b\u4e86\u989d\u5916\u7684\u5b89\u5168\u7ea7\u522b\u3002\nBut I think I know a way to fix this problem. Or to at least provide a partial fix to it. I think Charon should include more information in the service tickets it produces. In addition to the username, the ticket should also include the NETWORK ADDRESS from which the user asked Charon for the ticket. That gives you an additional level of security.\n\n\u4e3e\u4f8b\u6765\u8bf4\uff0c\u5047\u8bbe\u6211\u73b0\u5728\u5077\u4e86\u4f60\u7684\u7968\u8bc1\u3002\u7968\u8bc1\u4e2d\u6709\u4f60\u5de5\u4f5c\u7ad9\u7684\u7f51\u7edc\u5730\u5740\uff0c\u800c\u6b64\u5730\u5740\u4e0e\u6211\u7684\u5de5\u4f5c\u7ad9\u5730\u5740\u4e0d\u5339\u914d\u3002\u4ee5\u4f60\u7684\u540d\u4e49\uff0c\u6211\u5c06\u88ab\u76d7\u7684\u7968\u8f6c\u53d1\u5230\u90ae\u4ef6\u670d\u52a1\u5668\u3002\u670d\u52a1\u5668\u7a0b\u5e8f\u4ece\u7968\u8bc1\u4e2d\u63d0\u53d6\u7528\u6237\u540d\u548c\u7f51\u7edc\u5730\u5740\uff0c\u5e76\u5c1d\u8bd5\u5c06\u8be5\u4fe1\u606f\u4e0e\u53d1\u9001\u7968\u8bc1\u7684\u5b9e\u4f53\u7684\u7528\u6237\u540d\u548c\u7f51\u7edc\u5730\u5740\u8fdb\u884c\u5339\u914d\u3002\u7528\u6237\u540d\u5339\u914d\uff0c\u4f46\u7f51\u7edc\u5730\u5740\u4e0d\u5339\u914d\u3002\u670d\u52a1\u5668\u62d2\u7edd\u8be5\u7968\uff0c\u56e0\u4e3a\u5b83\u663e\u7136\u662f\u88ab\u76d7\u7684\u3002\nI'll illustrate. Suppose I steal your mail ticket now. The ticket has your workstation's network address in it, and this address does not match my workstation's address. In your name I forward the purloined ticket to the mail server. The server program extracts the username and network address from the ticket and attempts to match that information against the username and network address of the entity that sent the ticket. The username matches, but the network address does not. The server rejects the ticket because obviously it was stolen.\n\nAthena: \u771f\u68d2\uff0c\u771f\u68d2\uff01\u6211\u771f\u5e0c\u671b\u6211\u80fd\u60f3\u5230\u8fd9\u4e00\u70b9\u3002 Bravo, bravo! I wish I had thought of that.\nEuripides: \u8fd9\u5c31\u662f\u6211\u5728\u8fd9\u7684\u610f\u4e49\u3002 Well that's what I'm around for.\n\nAthena: \n\u6240\u4ee5\u4fee\u6539\u540e\u7684\u7968\u8bc1\u8bbe\u8ba1\u662f\u8fd9\u6837\u7684{username:ip_address:servicename}\uff1a\nSo the revised ticket design looks like this:\n\nShe scrawls the following on a chalkboard:\n TICKET - {username:ws_address:servicename}\n\nAthena: \u73b0\u5728\u6211\u771f\u7684\u5f88\u5174\u594b\u3002\u8ba9\u6211\u4eec\u5efa\u7acb\u4e00\u4e2a Charon \u7cfb\u7edf\u6765\u770b\u5b83\u662f\u5426\u771f\u7684\u6709\u6548\uff01 Now I'm really excited. Let's build a Charon system and see if it works!\nEuripides: \u6ca1\u90a3\u4e48\u5feb\u3002\u6211\u5bf9\u4f60\u7684\u7cfb\u7edf\u8fd8\u6709\u5176\u4ed6\u4e00\u4e9b\u95ee\u9898\u3002 Not so fast. I have some other questions about your system.\n\nAthena: \u597d\u5427\uff0c\u8bf7\u7ee7\u7eed\u3002 All right. (Athena leans forward in her chair) Shoot.\nEuripides: \u542c\u8d77\u6765\u6211\u6bcf\u6b21\u60f3\u4f7f\u7528\u670d\u52a1\u65f6\u90fd\u5fc5\u987b\u83b7\u5f97\u4e00\u5f20\u65b0\u7968\u3002\u5982\u679c\u6211\u8981\u6295\u5165\u4e00\u5929\u7684\u5de5\u4f5c\uff0c\u6211\u53ef\u80fd\u4f1a\u60f3\u8981\u4e0d\u6b62\u4e00\u6b21\u5730\u6536\u5230\u6211\u7684\u90ae\u4ef6\u3002\u6bcf\u6b21\u6211\u60f3\u6536\u5230\u6211\u7684\u90ae\u4ef6\u65f6\uff0c\u6211\u90fd\u5fc5\u987b\u83b7\u5f97\u4e00\u5f20\u65b0\u7968\u5417\uff1f\u5982\u679c\u8fd9\u662f\u771f\u7684\uff0c\u6211\u4e0d\u559c\u6b22\u4f60\u7684\u7cfb\u7edf\u3002 Sounds like I've got to get a new ticket every time I want to use a service. If I'm putting in a full day's work, I'll probably want to get my mail more than once. Do I have to get a new ticket every time I want to get my mail? If that's true, I don't like your system.\n\nAthena: \u5443\u2026\u2026\u597d\u5427\uff0c\u6211\u4e0d\u660e\u767d\u4e3a\u4ec0\u4e48\u7968\u4e0d\u80fd\u91cd\u590d\u4f7f\u7528\u3002\u5982\u679c\u4f60\u5f97\u5230\u4e86\u90ae\u4ef6\u670d\u52a1\u5668\u7684\u7968\uff0c\u4f60\u5e94\u8be5\u53ef\u4ee5\u4e00\u6b21\u53c8\u4e00\u6b21\u5730\u4f7f\u7528\u5b83\u3002\u4f8b\u5982\uff0c\u5f53\u90ae\u4ef6\u5ba2\u6237\u7aef\u7a0b\u5e8f\u4ee5\u4f60\u7684\u540d\u4e49\u8bf7\u6c42\u670d\u52a1\u65f6\uff0c\u5b83\u4f1a\u5c06\u7968\u8bc1\u7684\u526f\u672c\u8f6c\u53d1\u5230\u90ae\u4ef6\u670d\u52a1\u5668\u3002 Ah . . . Well I don't see why tickets can't be reusable. If you get a ticket for the mail server, you ought to be able to use it again and again. For instance, when the mail client program makes a request for service in your name, it forwards a COPY of the ticket to the mail server.\nEuripides: \u8fd9\u6837\u597d\u4e00\u4e9b\u4e86\u3002\u4f46\u6211\u4ecd\u7136\u6709\u95ee\u9898\u3002\u4f60\u4f3c\u4e4e\u6697\u793a\u6bcf\u6b21\u6211\u60f3\u4f7f\u7528\u6211\u8fd8\u6ca1\u6709\u7968\u7684\u670d\u52a1\u65f6\uff0c\u6211\u90fd\u5fc5\u987b\u7ed9 Charon \u6211\u7684\u5bc6\u7801\u3002\u6211\u767b\u5f55\u5e76\u60f3\u8bbf\u95ee\u6211\u7684\u6587\u4ef6\u3002\u6211\u5411 Charon \u53d1\u51fa\u4e86\u6b63\u786e\u7968\u8bc1\u7684\u8bf7\u6c42\uff0c\u8fd9\u610f\u5473\u7740\u6211\u5fc5\u987b\u4f7f\u7528\u6211\u7684\u5bc6\u7801\u3002\u7136\u540e\u6211\u60f3\u9605\u8bfb\u6211\u7684\u90ae\u4ef6\u3002\u5411 Charon \u53d1\u8d77\u53e6\u4e00\u4e2a\u8bf7\u6c42\uff0c\u6211\u5fc5\u987b\u518d\u6b21\u8f93\u5165\u6211\u7684\u5bc6\u7801\u3002\u73b0\u5728\u5047\u8bbe\u6211\u60f3\u5c06\u6211\u7684\u4e00\u5c01\u90ae\u4ef6\u53d1\u9001\u5230\u6253\u5370\u670d\u52a1\u5668\u3002\u53c8\u8981\u518d\u5411 Charon \u53d1\u4e00\u4e2a\u8bf7\u6c42\uff0c\u4f60\u660e\u767d\u6211\u7684\u610f\u601d\u5417\uff1f That's better. But I still have problems. You seem to imply that I have to give Charon my password every time I want to use a service for which I don't have a ticket. I login and want to access my files. I fire off a request to Charon for the proper ticket and this means that I've had to use my password. Then I want to read my mail. Another request to Charon, I have to enter my password again. Now suppose I want to send one of my mail messages to the print server. Another Charon request and, well you get the picture.\n\nAthena: \u55ef\uff0c\u662f\u7684\uff0c\u6211\u7406\u89e3\u4e86\u3002 Uh, yeah, I do.\nEuripides: \u5982\u679c\u4f60\u89c9\u5f97\u8fd9\u8fd8\u4e0d\u591f\u7cdf\u7cd5\uff0c\u8bf7\u8003\u8651\u4e00\u4e0b\uff1a\u542c\u8d77\u6765\u5f53\u4f60\u5411 Charon \u9a8c\u8bc1\u81ea\u5df1\u7684\u8eab\u4efd\u65f6\uff0c\u4f60\u4f1a\u901a\u8fc7\u7f51\u7edc\u4ee5\u660e\u6587\u5f62\u5f0f\u53d1\u9001\u4f60\u7684\u5bc6\u7801\u3002\u50cf\u4f60\u8fd9\u6837\u806a\u660e\u7684\u4eba\u771f\u7684\u53ef\u4ee5\u76d1\u63a7\u7f51\u7edc\u5e76\u7a83\u53d6\u4eba\u4eec\u7684\u5bc6\u7801\u526f\u672c\u3002\u5982\u679c\u6211\u6709\u4f60\u7684\u5bc6\u7801\uff0c\u6211\u53ef\u4ee5\u4f7f\u7528\u4f60\u540d\u4e0b\u7684\u4efb\u4f55\u670d\u52a1\u3002Athena \u53f9\u4e86\u53e3\u6c14\u3002 And if that weren't bad enough, consider this: it sounds like when you authenticate yourself to Charon, you send your secret password over the network in cleartext. Clever people like yours truly can monitor the network and steal copies of people's passwords. If I've got your password, I can use any service in your name. Athena sighs.\n\nAthena: \u8fd9\u4e9b\u90fd\u662f\u5f88\u4e25\u91cd\u7684\u95ee\u9898\u3002\u6211\u60f3\u6211\u9700\u8981\u56de\u53bb\u518d\u597d\u597d\u60f3\u60f3\u3002 These are serious problems. Guess I need to go back to the drawing board.\n\n\n# Scene III - \u573a\u666f\u4e09\n\n>>> \u573a\u666f\u4e09\u6bd4\u524d2\u4e2a\u573a\u666f\u8fdb\u884c\u4e86\u66f4\u591a\u7684\u8ba8\u8bba\uff0c\u8bbe\u8ba1\u4e5f\u968f\u7740\u8ba8\u8bba\u7684\u6df1\u5165\u9700\u8981\u8fdb\u884c\u66f4\u591a\u7684\u4fee\u6539\uff1a\n\n>>> Athena \u5c06\u4e4b\u524d Euripides \u63d0\u5230\u7684\u51e0\u4e2a\u95ee\u9898\u8f6c\u6362\u6210\u4e86\u4e00\u4e9b\u7cfb\u7edf\u7684\u57fa\u672c\u8981\u6c42\uff1a\n\n>>> 1. \u7528\u6237\u53ea\u9700\u5728\u5de5\u4f5c\u7ad9\u4f1a\u8bdd\u5f00\u59cb\u65f6\u8f93\u5165\u4e00\u6b21\u5bc6\u7801\u2014\u2014\u8fd9\u662f\u901a\u8fc7\u65b0\u53d1\u660e\u4e00\u4e2a ticket-granting \u670d\u52a1\u6765\u5b9e\u73b0\u7684\uff0c\u5b83\u4f1a\u5411\u901a\u8fc7\u8eab\u4efd\u8ba4\u8bc1\u7684\u7528\u6237\u53d1\u653e\u4e00\u4e2a TGT(ticket-granting ticket, \u7968\u8bc1\u6388\u4e88\u7968\u8bc1)\uff0c\u8fd9\u4e2a\u65b0\u670d\u52a1\u5176\u5b9e\u662f Charon \u7684\u4e00\u90e8\u5206\uff0c\u5b83\u53ef\u4ee5\u8ba9\u4f60\u540e\u9762\u4f7f\u7528TGT\u800c\u4e0d\u662f\u5bc6\u7801\u6765\u8bc1\u5b9e\u81ea\u5df1\u7684\u8eab\u4efd\uff1b\n\n>>> 2. \u5bc6\u7801\u4e0d\u5e94\u4ee5\u660e\u6587\u5f62\u5f0f\u901a\u8fc7\u7f51\u7edc\u53d1\u9001\u2014\u2014\u5f53\u4f60\u4f7f\u7528 kinit \u7a0b\u5e8f\u83b7\u53d6 TGT\u7968\u8bc1\u6388\u4e88\u7968\u8bc1 \u65f6\uff0ckinit \u4e0d\u4f1a\u5c06\u4f60\u7684\u5bc6\u7801\u53d1\u9001\u5230 Charon \u670d\u52a1\u5668\uff0ckinit \u53ea\u4f1a\u53d1\u9001\u4f60\u7684\u7528\u6237\u540d\uff0c\u7136\u540e Charon \u4f7f\u7528\u7528\u6237\u540d\u6765\u67e5\u627e\u4f60\u7684\u5bc6\u7801\uff0c\u627e\u5230\u4e86\u4e4b\u540e\u4f1a\u7528\u4f60\u7684\u5bc6\u7801\u5bf9\u7968\u8bc1\u4fe1\u606f\u8fdb\u884c\u52a0\u5bc6\u7136\u540e\u5c06\u5185\u5bb9\u8fd4\u56de\uff0c\u63a5\u6536\u5230\u8fd4\u56de\u4e4b\u540e kinit \u63d0\u793a\u4f60\u8f93\u5165\u4f60\u7684\u5bc6\u7801\uff0c\u8f93\u5165\u4e4b\u540e kinit \u5c1d\u8bd5\u4f7f\u7528\u4f60\u8f93\u5165\u7684\u5bc6\u7801\u89e3\u5bc6\u7968\u8bc1\uff0c\u82e5\u89e3\u5bc6\u6210\u529f\uff0c\u5219\u4f60\u5df2\u6210\u529f\u5411 Charon \u8bc1\u660e\u81ea\u5df1\u3002\u4f46\u662f\u63a5\u4e0b\u6765\u5982\u4f55\u7528 TGT \u6765\u751f\u6210 ST \u597d\u50cf\u6ca1\u6709\u7ec6\u8bf4\uff1f\n\n>>> \u5230\u73b0\u5728\u8fd9\u4e2a\u9636\u6bb5\uff0c\u7528\u6237\u4f53\u9a8c\u5df2\u7ecf\u5f88\u597d\u4e86\u2014\u2014\u4f60\u53ea\u9700\u8981\u6b63\u786e\u8f93\u5165\u4e00\u6b21\u7528\u6237\u540d\u5bc6\u7801\uff08\u4e14\u5bc6\u7801\u8fd8\u4e0d\u4f1a\u901a\u8fc7\u7f51\u7edc\u4f20\u8f93\uff09\uff0c\u5c31\u80fd\u501f\u52a9\u65b0\u8bbe\u8ba1\u7684 ticket-granting \u670d\u52a1\u751f\u6210 TGT \u6765\u5b9e\u73b0\u540e\u7eed\u7684\u514d\u5bc6\u8bbf\u95ee\u3002\u4f46\u662f\u8fd9\u6837\u7684\u5b89\u5168\u98ce\u9669\u4e5f\u5f88\u5927\uff0c\u56e0\u4e3a\u73b0\u5728\u7684\u8bbe\u8ba1\u4e2d\u670d\u52a1\u7968\u636e(ST,service ticket)\u662f\u80fd\u591f\u91cd\u590d\u4f7f\u7528\u7684\uff0c\u5982\u679c\u670d\u52a1\u7968\u636e\u88ab\u7a83\u53d6\u4e86\uff0c\u90a3\u4f60\u5728\u8fd9\u4e9b\u670d\u52a1\u4e2d\u7684\u8eab\u4efd\u4e5f\u5c31\u88ab\u7a83\u53d6\u4e86\u3002\u6240\u4ee5\u9700\u8981\u7ed9\u670d\u52a1\u7968\u636e\u6dfb\u52a0\u4e00\u4e9b\u989d\u5916\u4fe1\u606f\u6765\u9650\u5236\u670d\u52a1\u7968\u636e\u7684\u6709\u6548\u671f\u3002\u73b0\u5728\u670d\u52a1\u7968\u636e\u7684\u683c\u5f0f\u662f enc{username:ip_address:servicename:lifespan:timestamp} \u3002\u4f46\u5373\u4fbf\u662f\u8fd9\u6837\u4e5f\u6709\u4e00\u4e9b\u95ee\u9898\uff0c\u6bd4\u5982\u6709\u6548\u671f\u5185\u7684\u91cd\u653e\u653b\u51fb\u7b49\u3002\n\n\n\u7b2c\u4e8c\u5929\u65e9\u6668\uff0cAthena \u5728\u5496\u5561\u533a\u627e\u5230\u4e86 Euripides \u3002Athena \u5728 Euripides \u5012\u5496\u5561\u7684\u65f6\u5019\u62cd\u4e86\u62cd Euripides \u7684\u80a9\u8180\u3002\u7136\u540e\u4e24\u4eba\u5171\u540c\u8d70\u5411\u5496\u5561\u673a\u3002\n\nAthena: \u6211\u53c8\u8bbe\u8ba1\u4e86\u4e00\u4e2a\u65b0\u7248\u672c\u7684 Charon \u53ef\u4ee5\u89e3\u51b3\u6211\u4eec\u7684\u95ee\u9898\u3002 I've got a new version of Charon that solves our problems.\nEuripides: \u771f\u7684\u5417\uff1f\u8fd9\u4e48\u5feb\u5c31\u89e3\u51b3\u4e86\uff1f Really? That was quick.\n\nAthena: \u55ef\uff0c\u4f60\u77e5\u9053\uff0c\u8fd9\u79cd\u6027\u8d28\u7684\u95ee\u9898\u8ba9\u6211\u5f7b\u591c\u96be\u7720\u3002 Well, you know, problems of this nature keep me up all night.\nEuripides: \u4e00\u5b9a\u662f\u4f60\u7684\u5fc3\u865a\u3002\u6211\u4eec\u8981\u4e0d\u8981\u79fb\u5230\u90a3\u4e2a\u5c0f\u4f1a\u8bae\u5ba4\uff1f Must be your guilty conscience. Shall we repair to yon small conference room?\n\nAthena: \u4e3a\u4ec0\u4e48\u4e0d\u5462\uff1f Why not?\n\u4e24\u4eba\u642c\u5230\u5c0f\u4f1a\u8bae\u5ba4\u3002 The two move to the small conference room.\n\nAthena: \u6211\u5c06\u518d\u6b21\u5148\u590d\u8ff0\u4e4b\u524d\u95ee\u9898\uff0c\u4f46\u8fd9\u6b21\u6211\u4f1a\u5c06\u5b83\u4eec\u8f6c\u6362\u6210\u4e3a\u7cfb\u7edf\u7684\u8981\u6c42\u3002 I'll begin by stating the problems again, but I'll invert them so that they become requirements of the system.\nAthena \u6e05\u4e86\u6e05\u55d3\u5b50\u3002 Athena clears her throat.\nAthena: \u7b2c\u4e00\u4e2a\u8981\u6c42\uff1a\u7528\u6237\u53ea\u9700\u5728\u5de5\u4f5c\u7ad9\u4f1a\u8bdd\u5f00\u59cb\u65f6\u8f93\u5165\u4e00\u6b21\u5bc6\u7801\u3002\u6b64\u8981\u6c42\u610f\u5473\u7740\u4f60\u4e0d\u5fc5\u5728\u6bcf\u6b21\u9700\u8981\u65b0\u670d\u52a1\u7968\u8bc1\u65f6\u90fd\u8f93\u5165\u5bc6\u7801\u3002\u7b2c\u4e8c\u4e2a\u8981\u6c42\uff1a\u5bc6\u7801\u4e0d\u5e94\u4ee5\u660e\u6587\u5f62\u5f0f\u901a\u8fc7\u7f51\u7edc\u53d1\u9001\u3002 The first requirement: Users only have to enter their passwords once, at the beginning of their workstation sessions. This requirement implies that you shouldn't have to enter your password every time you need a new service ticket. The second requirement: passwords should not be sent over the network in clear text.\nEuripides: \u597d\u7684\u3002 Okay.\n\nAthena: \n\u6211\u5c06\u4ece\u7b2c\u4e00\u4e2a\u8981\u6c42\u5f00\u59cb\uff1a\u4f60\u5e94\u8be5\u53ea\u9700\u8981\u4f7f\u7528\u4e00\u6b21\u5bc6\u7801\u3002\u6211\u901a\u8fc7\u53d1\u660e\u4e00\u79cd\u65b0\u7684\u7f51\u7edc\u670d\u52a1\u6765\u6ee1\u8db3\u8fd9\u4e2a\u8981\u6c42\u3002\u5b83\u88ab\u79f0\u4e3a\u201cticket-granting\u201d\u670d\u52a1\uff0c\u8be5\u670d\u52a1\u5411\u5df2\u7ecf\u5411 Charon \u8bc1\u660e\u5176\u8eab\u4efd\u7684\u7528\u6237\u53d1\u653e Charon \u95e8\u7968\u3002\u5982\u679c\u4f60\u6709\u7968\u8bc1\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528\u6b64\u7968\u8bc1\u6388\u4e88\u670d\u52a1\uff0c\u5373\u7968\u8bc1\u6388\u4e88\u7968\u8bc1\u3002\nI'll start with the first requirement: you should only have to use your password once. I've met this requirement by inventing a new network service. It's called the \"ticket-granting\" service, a service that issues Charon tickets to users who have already proven their identity to Charon. You can use this ticket-granting service if you have a ticket for it, a ticket-granting ticket.\n\n\u7968\u8bc1\u6388\u4e88\u670d\u52a1\u5b9e\u9645\u4e0a\u53ea\u662f Charon \u7684\u4e00\u4e2a\u7248\u672c\uff0c\u56e0\u4e3a\u5b83\u53ef\u4ee5\u8bbf\u95ee Charon \u6570\u636e\u5e93\u3002\u5b83\u662f Charon \u7684\u4e00\u90e8\u5206\uff0c\u53ef\u8ba9\u4f60\u4f7f\u7528\u7968\u8bc1\u800c\u4e0d\u662f\u5bc6\u7801\u6765\u9a8c\u8bc1\u81ea\u5df1\u3002\nThe ticket-granting service is really just a version of Charon in as much as it has access to the Charon database. It's a part of Charon that lets you authenticate yourself with a ticket instead of a password.\n\n\u65e0\u8bba\u5982\u4f55\uff0c\u9a8c\u8bc1\u7cfb\u7edf\u73b0\u5728\u7684\u5de5\u4f5c\u65b9\u5f0f\u5982\u4e0b\uff1a\u4f60\u767b\u5f55\u5230\u5de5\u4f5c\u7ad9\u5e76\u4f7f\u7528\u540d\u4e3a kinit \u7684\u7a0b\u5e8f\u8054\u7cfb Charon \u670d\u52a1\u5668\u3002\u4f60\u5411 Charon \u8bc1\u660e\u4f60\u7684\u8eab\u4efd\uff0c\u7136\u540e kinit \u7a0b\u5e8f\u4f1a\u4e3a\u4f60\u63d0\u4f9b\u4e00\u5f20\u7968\u636e\u6388\u6743\u7968\u636e\u3002\nAnyhow, the authentication system now works as follows: you login to a workstation and use a program called kinit to contact the Charon server. You prove your identity to Charon, and the kinit program gets you a ticket-granting ticket.\n\n\u73b0\u5728\u5047\u8bbe\u4f60\u60f3\u4ece\u90ae\u4ef6\u670d\u52a1\u5668\u83b7\u53d6\u4f60\u7684\u90ae\u4ef6\u3002\u4f60\u8fd8\u6ca1\u6709\u90ae\u4ef6\u670d\u52a1\u5668\u7968\u8bc1\uff0c\u56e0\u6b64\u4f60\u4f7f\u7528\u201cticket-granting\u201d\u7968\u8bc1\u4e3a\u4f60\u83b7\u53d6\u90ae\u4ef6\u670d\u52a1\u5668\u7968\u8bc1\u3002\u4f60\u65e0\u9700\u4f7f\u7528\u5bc6\u7801\u5373\u53ef\u83b7\u5f97\u65b0\u7968\u3002\nNow say you want to get your mail from the mail server. You don't have a mail server ticket yet, so you use the \"ticket-granting\" ticket to get the mail server ticket for you. You don't have to use your password to get the new ticket.\n\nEuripides: \u6bcf\u6b21\u6211\u9700\u8981\u8bbf\u95ee\u53e6\u4e00\u4e2a\u7f51\u7edc\u670d\u52a1\u65f6\uff0c\u6211\u662f\u5426\u5fc5\u987b\u83b7\u5f97\u65b0\u7684\u201c\u6388\u4e88\u7968\u8bc1\u201d\u7968\u8bc1\uff1f Do I have to get a new \"ticket-granting\" ticket every time I need to get to another network service?.\n\nAthena: \u4e0d\uff0c\u8bf7\u8bb0\u4f4f\uff0c\u6211\u4eec\u4e0a\u6b21\u540c\u610f\u7968\u53ef\u4ee5\u91cd\u590d\u4f7f\u7528\u3002\u4e00\u65e6\u4f60\u5df2\u7ecf\u83b7\u5f97\u4e86\u6388\u4e88\u7968\u8bc1\u7684\u7968\u8bc1\uff0c\u4f60\u5c31\u65e0\u9700\u518d\u83b7\u5f97\u53e6\u4e00\u4e2a\u6388\u4e88\u7968\u8bc1\u7684\u7968\u8bc1\u3002\u4f60\u4f7f\u7528\u6388\u4e88\u7968\u8bc1\u7684\u7968\u8bc1\u6765\u83b7\u53d6\u4f60\u9700\u8981\u7684\u5176\u4ed6\u7968\u8bc1\u3002 No. Remember, we agreed last time that tickets can be reused. Once you have acquired a ticket-granting ticket, you don't need to get another. You use the ticket-granting ticket to get the other tickets you need.\nEuripides: \u597d\u5427\uff0c\u8fd9\u662f\u6709\u9053\u7406\u7684\u3002\u800c\u4e14\u7531\u4e8e\u4f60\u53ef\u4ee5\u91cd\u590d\u4f7f\u7528\u7968\u8bc1\uff0c\u4e00\u65e6\u7968\u8bc1\u6388\u4e88\u670d\u52a1\u4e3a\u4f60\u63d0\u4f9b\u4e86\u7279\u5b9a\u670d\u52a1\u7684\u7968\u8bc1\uff0c\u4f60\u5c31\u65e0\u9700\u518d\u6b21\u83b7\u5f97\u8be5\u7279\u5b9a\u7968\u8bc1\u3002 Okay, that makes sense. And since you can reuse tickets, once the ticket-granting service has given you a ticket for a particular service, you don't need to get that particular ticket again.\n\nAthena: \u662f\u554a\uff0c\u8fd9\u6837\u505a\u662f\u4e0d\u662f\u5f88\u4f18\u96c5\uff1f Yeah, isn't that elegant?\nEuripides: \u597d\u7684\uff0c\u76ee\u524d\u4e3a\u6b62\u6211\u90fd\u7406\u89e3\u4e86\u2026\u2026\u53ea\u8981\u4f60\u5728\u83b7\u5f97\u7968\u8bc1\u6388\u4e88\u7968\u8bc1\u65f6\u4e0d\u5fc5\u901a\u8fc7\u7f51\u7edc\u4ee5\u660e\u6587\u5f62\u5f0f\u53d1\u9001\u5bc6\u7801\u3002 Okay, I buy it so far . . . As long as you didn't have to send your password in cleartext over the network when you got the ticket-granting ticket.\n\nAthena: \n\u5c31\u50cf\u6211\u8bf4\u7684\uff0c\u6211\u4e5f\u89e3\u51b3\u4e86\u8fd9\u4e2a\u95ee\u9898\u3002\u95ee\u9898\u662f\uff0c\u5f53\u6211\u8bf4\u4f60\u5fc5\u987b\u8054\u7cfb Charon \u4ee5\u83b7\u5f97\u7968\u8bc1\u6388\u4e88\u7968\u65f6\uff0c\u542c\u8d77\u6765\u597d\u50cf\u4f60\u5fc5\u987b\u901a\u8fc7\u7f51\u7edc\u4ee5\u660e\u6587\u5f62\u5f0f\u5c06\u5bc6\u7801\u53d1\u9001\u5230 Charon \u670d\u52a1\u5668\u3002\u4f46\u5b9e\u9645\u60c5\u51b5\u4e0d\u4e00\u5b9a\u662f\u8fd9\u6837\u3002 Like I said, I've solved that problem as well. The thing is, when I say you have to contact Charon to get the ticket-granting ticket, I make it sound as though you have to send your password in cleartext over the network to the Charon Server. But it doesn't have to be that way.\n\n\u8fd9\u5c31\u662f\u771f\u6b63\u53d1\u751f\u7684\u4e8b\u60c5\u3002\u5f53\u4f60\u4f7f\u7528 kinit \u7a0b\u5e8f\u83b7\u53d6\u7968\u8bc1\u6388\u4e88\u7968\u8bc1\u65f6\uff0ckinit \u4e0d\u4f1a\u5c06\u4f60\u7684\u5bc6\u7801\u53d1\u9001\u5230 Charon \u670d\u52a1\u5668\uff0ckinit \u53ea\u4f1a\u53d1\u9001\u4f60\u7684\u7528\u6237\u540d\u3002\nHere's really what happens. When you use the kinit program to get the ticket-granting ticket, kinit doesn't send your password to the Charon server, kinit sends only your username.\n\nEuripides: \u633a\u597d\u3002 Fine.\n\nAthena: \nCharon \u4f7f\u7528\u7528\u6237\u540d\u6765\u67e5\u627e\u4f60\u7684\u5bc6\u7801\u3002\u65b0\u7684 Charon \u6784\u5efa\u4e86\u4e00\u4e2a\u6570\u636e\u5305\uff0c\u5176\u4e2d\u5305\u542b\u6388\u4e88\u7968\u8bc1\u7684\u7968\u8bc1\u3002\u5728\u5411\u4f60\u53d1\u9001\u6570\u636e\u5305\u4e4b\u524d\uff0cCharon \u4f1a\u4f7f\u7528\u4f60\u7684\u5bc6\u7801\u6765\u52a0\u5bc6\u6570\u636e\u5305\u7684\u5185\u5bb9\u3002\nCharon uses the username to look up your password. Next Charon builds a packet of data that contains the ticket-granting ticket. Before it sends you the packet, Charon uses your password to encrypt the packet's contents.\n\n\u4f60\u7684\u5de5\u4f5c\u7ad9\u6536\u5230\u7968\u8bc1\u6570\u636e\u5305\u3002\u4f60\u8f93\u5165\u4f60\u7684\u5bc6\u7801\u3002 kinit \u5c1d\u8bd5\u4f7f\u7528\u4f60\u8f93\u5165\u7684\u5bc6\u7801\u89e3\u5bc6\u7968\u8bc1\u3002\u5982\u679c kinit \u6210\u529f\uff0c\u5219\u4f60\u5df2\u6210\u529f\u5411 Charon \u8bc1\u660e\u81ea\u5df1\u3002\u4f60\u73b0\u5728\u62e5\u6709\u4e00\u5f20\u6388\u4e88\u7968\u8bc1\u7684\u7968\u8bc1\uff0c\u8be5\u7968\u8bc1\u53ef\u4ee5\u4e3a\u4f60\u63d0\u4f9b\u6240\u9700\u7684\u5176\u4ed6\u7968\u8bc1\u3002\nYour workstation receives the ticket packet. You enter your password. Kinit attempts to decrypt the ticket with the password you entered. If kinit succeeds, you have successfully authenticated yourself to Charon. You now possess a ticket-granting ticket, and that ticket can get you the other tickets you require.\n\n\u6574\u4e2a\u65b0\u5947\u7684\u60f3\u6cd5\u600e\u4e48\u6837\uff1f\nHow's that for some fancy thinking?\n\nEuripides: \u6211\u4e0d\u77e5\u9053\u2026\u2026\u6211\u8fd8\u5728\u52aa\u529b\u601d\u8003\u3002\u4f60\u77e5\u9053\uff0c\u6211\u8ba4\u4e3a\u4f60\u521a\u624d\u63cf\u8ff0\u7684\u7cfb\u7edf\u90e8\u5206\u5de5\u4f5c\u5f97\u5f88\u597d\u3002\u4f60\u7684\u7cfb\u7edf\u8981\u6c42\u6211\u53ea\u8bc1\u660e\u81ea\u5df1\u4e00\u6b21\u3002\u6b64\u540e\uff0cCharon \u53ef\u4ee5\u5728\u6211\u4e0d\u77e5\u9053\u7684\u60c5\u51b5\u4e0b\u5411\u6211\u7b7e\u53d1\u670d\u52a1\u7968\u3002\u5929\u8863\u65e0\u7f1d\uff0c\u5728\u8fd9\u65b9\u9762\u5929\u8863\u65e0\u7f1d\u3002\u4f46\u4e0d\u77e5\u4f55\u6545\uff0c\u670d\u52a1\u7968\u7684\u8bbe\u8ba1\u6709\u4e9b\u8ba9\u6211\u70e6\u607c\u3002\u8fd9\u4e0e\u95e8\u7968\u53ef\u91cd\u590d\u4f7f\u7528\u7684\u4e8b\u5b9e\u6709\u5173\u3002\u73b0\u5728\u6211\u540c\u610f\u5b83\u4eec\u5fc5\u987b\u662f\u53ef\u91cd\u590d\u4f7f\u7528\u7684\uff0c\u4f46\u53ef\u91cd\u590d\u4f7f\u7528\u7684\u7968\u636e\u5c31\u5176\u6027\u8d28\u800c\u8a00\u662f\u975e\u5e38\u5371\u9669\u7684\u3002 I don't know . . . I'm trying to think myself. You know, I think the parts of the system that you just described work pretty well. Your system requires me to authenticate myself only once. Thereafter Charon can issue me service tickets without my being aware of it. Seamless, seamless in that regard. But there's something about the design of the service ticket that troubles me somehow. It has to do with the fact that tickets are reusable. Now I agree that they have to be reusable, but reusable tickets are, by their nature, very dangerous.\n\nAthena: \u4f60\u7684\u610f\u601d\u662f\uff1f What do you mean?\nEuripides: \n\n\u8fd9\u6837\u770b\u3002\u5047\u8bbe\u4f60\u4f7f\u7528\u7684\u662f\u4e0d\u5b89\u5168\u7684\u5de5\u4f5c\u7ad9\u3002\u5728\u4f60\u7684\u767b\u5f55\u4f1a\u8bdd\u8fc7\u7a0b\u4e2d\uff0c\u4f60\u5c06\u83b7\u5f97\u4e00\u5f20\u90ae\u4ef6\u670d\u52a1\u7968\u3001\u4e00\u5f20\u6253\u5370\u670d\u52a1\u7968\u548c\u4e00\u5f20\u6587\u4ef6\u670d\u52a1\u7968\u3002\u5047\u8bbe\u4f60\u5728\u6ce8\u9500\u65f6\u65e0\u610f\u4e2d\u5c06\u8fd9\u4e9b\u7968\u636e\u7559\u5728\u4e86\u5de5\u4f5c\u7ad9\u4e0a\u3002\nLook at it this way. Suppose you are using an insecure workstation. In the course of your login session you acquire a mail service ticket, a printing service ticket, and a file service ticket. Suppose you inadvertantly leave these tickets on the workstation when you logout.\n\n\u73b0\u5728\u5047\u8bbe\u6211\u767b\u5f55\u5230\u5de5\u4f5c\u7ad9\u5e76\u627e\u5230\u90a3\u4e9b\u7968\u3002\u6211\u611f\u89c9\u8981\u60f9\u9ebb\u70e6\uff0c\u6240\u4ee5\u6211\u8ba9\u5de5\u4f5c\u7ad9\u8ba4\u4e3a\u6211\u662f\u4f60\u3002\u7531\u4e8e\u7968\u662f\u4ee5\u4f60\u7684\u540d\u4e49\u5f00\u51fa\u7684\uff0c\u6211\u53ef\u4ee5\u4f7f\u7528\u90ae\u4ef6\u5ba2\u6237\u7aef\u7a0b\u5e8f\u8bbf\u95ee\u4f60\u7684\u90ae\u4ef6\uff0c\u6211\u53ef\u4ee5\u4f7f\u7528\u6587\u4ef6\u670d\u52a1\u5ba2\u6237\u7aef\u8bbf\u95ee\u548c\u5220\u9664\u4f60\u7684\u6587\u4ef6\uff0c\u6211\u53ef\u4ee5\u7528\u4f60\u7684\u540d\u4e49\u6765\u4f7f\u7528\u6253\u5370\u670d\u52a1\u3002\u8fd9\u4e00\u5207\u90fd\u662f\u56e0\u4e3a\u8fd9\u4e9b\u95e8\u7968\u4e0d\u5c0f\u5fc3\u88ab\u9057\u5f03\u4e86\u3002\nNow suppose I login to the workstation and find those tickets. I'm feeling like causing trouble, so I make the workstation think that I am you. Since the tickets are made out in your name, I can use the mail client program to access your mail, I can use the file service client to access and remove your files, and I can use the printing command to run up huge bills on your account. All because these tickets have been accidentally left lying around.\n\n\u5e76\u4e14\u6ca1\u6709\u4ec0\u4e48\u80fd\u963b\u6b62\u6211\u628a\u8fd9\u4e9b\u7968\u590d\u5236\u5230\u6211\u81ea\u5df1\u7684\u4efb\u4f55\u5730\u65b9\u3002\u6211\u53ef\u4ee5\u6c38\u8fdc\u4f7f\u7528\u5b83\u4eec\u3002\nAnd nothing can keep me from copying these tickets to a place of my own. I can continue to use them for all eternity.\n\nAthena: \n\u8fd9\u5f88\u5bb9\u6613\u89e3\u51b3\u3002\u6211\u4eec\u53ea\u9700\u7f16\u5199\u4e00\u4e2a\u7a0b\u5e8f\uff0c\u5728\u6bcf\u6b21\u767b\u5f55\u4f1a\u8bdd\u540e\u9500\u6bc1\u7528\u6237\u7684\u7968\u8bc1\u3002\u4f60\u4e0d\u80fd\u4f7f\u7528\u5df2\u9500\u6bc1\u7684\u95e8\u7968\u3002\nBut that's an easy fix. We just write a program that destroys a user's tickets after each login session. You can't use tickets that have been destroyed.\n\nEuripides: \n\n\u5f88\u660e\u663e\u4f60\u7684\u7cfb\u7edf\u5fc5\u987b\u8981\u6709\u4e00\u4e2a\u7968\u636e\u9500\u6bc1\u7a0b\u5e8f\uff0c\u4f46\u662f\u8ba9\u7528\u6237\u4f9d\u8d56\u8fd9\u6837\u7684\u4e1c\u897f\u662f\u611a\u8822\u7684\u3002\u4f60\u4e0d\u80fd\u6307\u671b\u7528\u6237\u5728\u6bcf\u6b21\u5b8c\u6210\u5de5\u4f5c\u7ad9\u4f1a\u8bdd\u65f6\u90fd\u8bb0\u5f97\u9500\u6bc1\u4ed6\u4eec\u7684\u7968\u8bc1\u3002\u5373\u4f7f\u4f60\u4f9d\u9760\u4f60\u7684\u7528\u6237\u9500\u6bc1\u4ed6\u4eec\u7684\u7968\u8bc1\uff0c\u4e5f\u8bf7\u8003\u8651\u4ee5\u4e0b\u60c5\u51b5\u3002\nWell obviously your system must have a ticket-destroying program, but it's foolish to make users rely on such a thing. You can't count on users to remember to destroy their tickets every time they finish a workstation session. And even if you rely upon your users to destroy their tickets, consider the following scenario.\n\n\u6211\u6709\u4e00\u4e2a\u7a0b\u5e8f\u53ef\u4ee5\u76d1\u89c6\u7f51\u7edc\u5e76\u5728\u670d\u52a1\u7968\u901a\u8fc7\u7f51\u7edc\u65f6\u590d\u5236\u5b83\u4eec\u3002\u5047\u8bbe\u6211\u60f3\u4f24\u5bb3\u4f60\u3002\u6211\u7b49\u4f60\u5f00\u59cb\u4e00\u4e2a\u5de5\u4f5c\u7ad9\u4f1a\u8bdd\uff0c\u6211\u6253\u5f00\u6211\u7684\u7a0b\u5e8f\u5e76\u590d\u5236\u4f60\u7684\u4e00\u5806\u7968\u3002\nI've got a program that watches the network and copies service tickets as they zip accross the network. Suppose I feel like victimizing you. I wait for you to begin a workstation session, I turn on my program and copy a bunch of your tickets.\n\n\u6211\u7b49\u4f60\u5b8c\u6210\u4f60\u7684\u4f1a\u8bdd\uff0c\u6700\u540e\u4f60\u9000\u51fa\u5e76\u79bb\u5f00\u3002\u6211\u6446\u5f04\u6211\u7684\u5de5\u4f5c\u7ad9\u7684\u7f51\u7edc\u8f6f\u4ef6\u5e76\u66f4\u6539\u5b83\u7684\u5730\u5740\uff0c\u4ee5\u4fbf\u5b83\u4e0e\u4f60\u5728\u83b7\u5f97\u6211\u590d\u5236\u7684\u7968\u8bc1\u65f6\u4f7f\u7528\u7684\u5de5\u4f5c\u7ad9\u7684\u5730\u5740\u76f8\u5339\u914d\u3002\u6211\u8ba9\u6211\u7684\u5de5\u4f5c\u7ad9\u76f8\u4fe1\u6211\u5c31\u662f\u4f60\u3002\u6211\u6709\u4f60\u7684\u7968\u3001\u4f60\u7684\u7528\u6237\u540d\u548c\u6b63\u786e\u7684\u7f51\u7edc\u5730\u5740\u3002\u6211\u53ef\u4ee5\u91cd\u653e\u8fd9\u4e9b\u7968\u5e76\u4ee5\u4f60\u7684\u540d\u4e49\u4f7f\u7528\u670d\u52a1\u3002\nI wait for you to finish your session, and eventually you logout and leave. I fiddle with my workstation's network software and change its address so that it matches the address of the workstation you were using when you acquired the tickets I copied. I make my workstation believe that I am you. I have your tickets, your username, and the correct network address. I can REPLAY these tickets and use services in your name.\n\n\u5728\u7ed3\u675f\u5de5\u4f5c\u7ad9\u4f1a\u8bdd\u4e4b\u524d\u9500\u6bc1\u7968\u8bc1\u5e76\u4e0d\u91cd\u8981\u3002\u6211\u5077\u7684\u7968\u53ea\u8981\u6211\u613f\u610f\u4f7f\u7528\u5c31\u4e00\u76f4\u6709\u6548\uff0c\u56e0\u4e3a\u4f60\u5f53\u524d\u7684\u7968\u8bbe\u8ba1\u5e76\u6ca1\u6709\u9650\u5236\u4f60\u53ef\u4ee5\u91cd\u590d\u4f7f\u7528\u7968\u7684\u6b21\u6570\u6216\u7968\u7684\u6709\u6548\u671f\u3002\nIt doesn't matter that you destroyed your tickets before you ended your workstation session. The tickets I have stolen are valid for as long as I care to use them, because your current ticket design does not place a limit on the number of times you can reuse a ticket, or on how long a ticket remains valid.\n\nAthena: \u54e6\uff0c\u6211\u660e\u767d\u4f60\u7684\u610f\u601d\u4e86\uff01\u95e8\u7968\u4e0d\u53ef\u80fd\u6c38\u8fdc\u6709\u6548\uff0c\u56e0\u4e3a\u5b83\u4eec\u4f1a\u6784\u6210\u5de8\u5927\u7684\u5b89\u5168\u98ce\u9669\u3002\u6211\u4eec\u5fc5\u987b\u9650\u5236\u4e00\u5f20\u7968\u53ef\u4ee5\u4f7f\u7528\u7684\u65f6\u95f4\u957f\u5ea6\uff0c\u4e5f\u8bb8\u7ed9\u6bcf\u5f20\u7968\u4e00\u4e2a\u6709\u6548\u671f\u3002 Oh I see what you're saying! Tickets can't be valid forever because they would then constitute a huge security risk. We have to restrict the length of time for which a ticket can be used, perhaps give each ticket some kind of expiration date.\nEuripides: \u786e\u5207\u5730\u8bf4\uff0c\u6211\u8ba4\u4e3a\u6bcf\u5f20\u7968\u9700\u8981\u6709\u4e24\u4e2a\u989d\u5916\u7684\u4fe1\u606f\uff1a\u4e00\u4e2a\u8868\u793a\u7968\u6709\u6548\u65f6\u95f4\u957f\u5ea6\u7684\u751f\u547d\u5468\u671f\uff0c\u4ee5\u53ca\u4e00\u4e2a\u8868\u793a Charon \u7b7e\u53d1\u7968\u7684\u65e5\u671f\u548c\u65f6\u95f4\u7684\u65f6\u95f4\u6233\u3002\u6240\u4ee5\u4e00\u5f20\u7968\u770b\u8d77\u6765\u50cf\u8fd9\u6837\uff1a Exactly. I think each ticket needs to have two additional pieces of information: a lifespan that indicates the length of time for which the ticket is valid, and a timestamp that indicates the date and time at which Charon issued the ticket. So a ticket would look something like this:\n\nEuripides goes to the chalkboard and scrawls the following:\n TICKET {username:address:servicename:lifespan:timestamp}\n\nEuripides: \u73b0\u5728\uff0c\u5f53\u670d\u52a1\u89e3\u5bc6\u7968\u8bc1\u65f6\uff0c\u5b83\u4f1a\u68c0\u67e5\u7968\u8bc1\u4e2d\u5305\u542b\u7684\u7528\u6237\u540d\u548c\u5730\u5740\u4e0e\u53d1\u9001\u7968\u8bc1\u7684\u4eba\u7684\u59d3\u540d\u548c\u5730\u5740\uff0c\u5e76\u4f7f\u7528\u65f6\u95f4\u6233\u548c\u751f\u547d\u5468\u671f\u4fe1\u606f\u6765\u67e5\u770b\u7968\u8bc1\u662f\u5426\u5df2\u8fc7\u671f\u3002 Now when a service decrypts tickets, it checks the ticket's username and address against the name and address of the person sending the ticket, and it uses the timestamp and lifespan information to see if the ticket has expired.\n\nAthena: \u597d\u7684\u3002\u90a3\u5178\u578b\u7684\u670d\u52a1\u7968\u8bc1\u5e94\u8be5\u6709\u4ec0\u4e48\u6837\u7684\u751f\u547d\u5468\u671f\uff1f All right. What kind of lifetime should the typical service ticket have?\nEuripides: \u6211\u4e5f\u4e0d\u77e5\u9053\u3002\u53ef\u80fd\u662f\u5178\u578b\u5de5\u4f5c\u7ad9\u4f1a\u8bdd\u7684\u957f\u5ea6\u2014\u2014\u516b\u5c0f\u65f6\u3002 I don't know. Probably the length of a typical workstation session. Say eight hours.\n\nAthena: \u56e0\u6b64\uff0c\u5982\u679c\u6211\u5728\u5de5\u4f5c\u7ad9\u4e0a\u5750\u4e86\u8d85\u8fc7 8 \u4e2a\u5c0f\u65f6\uff0c\u6211\u7684\u6240\u6709\u7968\u90fd\u4f1a\u8fc7\u671f\u3002\u8fd9\u5305\u62ec\u6211\u6388\u4e88\u7968\u8bc1\u7684\u7968\u8bc1\u3002\u6240\u4ee5\u6211\u5fc5\u987b\u5728\u516b\u5c0f\u65f6\u540e\u91cd\u65b0\u5411 Charon \u7533\u8bf7\u8eab\u4efd\u9a8c\u8bc1\u3002 So if I sit at my workstation for more than eight hours, all my tickets expire. That includes my ticket-granting ticket. So I have to reauthenticate myself to Charon after eight hours.\nEuripides: \u8fd9\u4e0d\u65e0\u9053\u7406\u5427\uff1f That's not unreasonable is it?\n\nAthena: \u6211\u731c\u4e0d\u662f\u3002\u6240\u4ee5\u6211\u4eec\u786e\u5b9a\u4e86\u2014\u2014\u95e8\u7968\u5728\u516b\u5c0f\u65f6\u540e\u5230\u671f\u3002\u73b0\u5728\u6211\u6709\u4e00\u4e2a\u95ee\u9898\u8981\u95ee\u4f60\u3002\u5047\u8bbe\u6211\u4ece\u7f51\u7edc\u4e0a\u590d\u5236\u4e86\u4f60\u7684\u7968\u2014\u2014 I guess not. So we're settled -- tickets expire after eight hours. Now I've got a question for you. Suppose I have copied YOUR tickets from the network--\nEuripides: \uff08\u773c\u775b\u95ea\u70c1\uff09\u5662\uff0cTina\uff01\u4f60\u4e0d\u4f1a\u771f\u7684\u90a3\u4e48\u505a\u5427\uff1f(Eyes twinkling) Aw, Tina! You wouldn't really do that would you?\n\nAthena: \n\u8fd9\u53ea\u662f\u4e3a\u4e86\u4e89\u8bba\u3002\u6211\u5df2\u7ecf\u590d\u5236\u4e86\u4f60\u7684\u7968\u3002\u73b0\u5728\u6211\u7b49\u4f60\u6ce8\u9500\u3002\u5047\u8bbe\u4f60\u6709\u4e00\u4e2a\u533b\u751f\u9884\u7ea6\u6216\u8981\u53c2\u52a0\u4e00\u4e2a\u8bfe\u7a0b\uff0c\u56e0\u6b64\u4f60\u5728\u51e0\u4e2a\u5c0f\u65f6\u540e\u7ed3\u675f\u4f60\u7684\u5de5\u4f5c\u7ad9\u4f1a\u8bdd\u3002\u4f60\u662f\u4e00\u4e2a\u806a\u660e\u4eba\uff0c\u5e76\u4e14\u5728\u9000\u51fa\u4e4b\u524d\u5df2\u7ecf\u9500\u6bc1\u4e86\u4f60\u7684\u95e8\u7968\u526f\u672c\u3002\nThis is just for the sake of argument. I've copied your tickets. Now I wait for you to logout. Suppose you have a doctor's appointment or a class to attend, so you end your workstation session after a couple of hours. You are a smart boots and have destroyed your copies of the tickets before logging out.\n\n\u4f46\u662f\u6211\u5df2\u7ecf\u5077\u4e86\u4f60\u7684\u7968\uff0c\u5b83\u4eec\u5927\u7ea6\u53ef\u4ee5\u653e\u516d\u4e2a\u5c0f\u65f6\u3002\u8fd9\u7ed9\u4e86\u6211\u5145\u8db3\u7684\u65f6\u95f4\u6765\u63a0\u593a\u4f60\u7684\u6587\u4ef6\u5e76\u4ee5\u4f60\u7684\u540d\u4e49\u6253\u5370\u4e00\u5343\u4efd\u3002\nBut I've stolen your tickets, and they are good for about six hours. That gives me ample time to pillage your files and print one thousand copies of whatever in your name.\n\n\u770b\uff0c\u5982\u679c\u7968\u8bc1\u7a83\u8d3c\u9009\u62e9\u5728\u7968\u8bc1\u8fc7\u671f\u540e\u91cd\u64ad\u7968\u8bc1\uff0c\u751f\u547d\u5468\u671f\u65f6\u95f4\u6233\u4e1a\u52a1\u53ef\u4ee5\u6b63\u5e38\u5de5\u4f5c\u3002\u4f46\u5982\u679c\u5c0f\u5077\u5728\u6709\u6548\u671f\u5230\u671f\u4e4b\u524d\u91cd\u6253\u4e4b\u524d\u7684\u7f5a\u5355\u2026\u2026\nSee, the lifetime-timestamp business works fine in the event that a ticket thief chooses to replay the ticket after the ticket has expired. If the thief can replay the ticket before that . . .\n\nEuripides: \u55ef\uff0c\u4f60\u662f\u5bf9\u7684\u3002 Uh, well . . . Of course you are right.\n\nAthena: \u6211\u8ba4\u4e3a\u6211\u4eec\u9047\u5230\u4e86\u4e00\u4e2a\u5927\u95ee\u9898\u3002\uff08\u5979\u53f9\u4e86\u53e3\u6c14\u3002\uff09 I think we have run into a major problem. (She sighs.)\n\u6682\u505c\u3002 Pause.\n\nEuripides: \u6211\u60f3\u8fd9\u610f\u5473\u7740\u4f60\u4eca\u665a\u4f1a\u5f88\u5fd9\u3002\u60f3\u8981\u66f4\u591a\u7684\u5496\u5561\u5417\uff1f I guess that means you'll be busy tonight. Want more coffee?\nAthena: \u4e3a\u4ec0\u4e48\u4e0d\u5462\u3002 Why not.\n\n\n# Scene IV - \u573a\u666f\u56db\n\n>>> \u5728\u4e0a\u4e00\u5e55\u7684\u8ba8\u8bba\u7ed3\u675f\u65f6\u6709\u4e00\u4e2a\u660e\u786e\u7684\u9057\u7559\u95ee\u9898\u2014\u2014\u670d\u52a1\u7968\u636e(ST)\u5728\u6709\u6548\u671f\u5185\u7684\u91cd\u653e\u653b\u51fb\uff0c\u5bf9\u8fd9\u4e2a\u95ee\u9898 Athena \u5c06\u95ee\u9898\u5f52\u7ed3\u4e3a\u2014\u2014\u670d\u52a1\u5982\u4f55\u5224\u65ad\u4f7f\u7528\u7968\u636e\u7684\u4eba\u4e0e\u771f\u5b9e\u7968\u636e\u6240\u6709\u4eba\u662f\u540c\u4e00\u4e2a\uff1f\n\n>>> Athena \u56de\u6eaf\u4e86\u4e00\u4e0b\u8eab\u4efd\u8ba4\u8bc1\u7684\u8fc7\u7a0b\uff0c\u8bd5\u56fe\u4ece\u4e2d\u627e\u5230\u89e3\u51b3\u601d\u8def\uff0c\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u7aef\u4ea4\u4e92\u65f6\u53d1\u9001\u7684\u5185\u5bb9\u4e3a username,ip_address,ticket(enc{username:ip_address:servicename:lifespan:timestamp}) \u8fd9\u91cc\u9762ticket\u662f\u7528\u670d\u52a1\u7684\u5bc6\u7801\u8fdb\u884c\u52a0\u5bc6\u751f\u6210\u7684\u5185\u5bb9\uff0c\u4e5f\u5c31\u53ea\u6709\u670d\u52a1\u80fd\u89e3\u5f00\u3002\u670d\u52a1\u63a5\u5230ticket\u4e4b\u540e\u6b63\u5e38\u89e3\u5f00\u53ef\u4ee5\u62ff\u5230\u7528\u6237\u540d\u3001\u7f51\u7edc\u5730\u5740\u3001\u670d\u52a1\u540d\u79f0\u548c\u6709\u6548\u671f\u505a\u6bd4\u5bf9\uff0c\u8fd9\u4e9b\u6821\u9a8c\u505a\u5b8c\u4e4b\u540e\u6700\u591a\u53ea\u80fd\u8bf4\u660eticket\u662f Charon \u7b7e\u53d1\u7684\uff0cusername,ip_address \u8fd9\u4e9b\u90fd\u80fd\u5bf9\u7684\u4e0a\u4e14\u662f\u5426\u5728\u6709\u6548\u671f\u5185\u3002\u8bf4\u660e\u4e0d\u4e86\u7968\u662f\u4e0d\u662f\u771f\u7684\u6765\u81ea\u4e8e\u7968\u7684\u5b9e\u9645\u62e5\u6709\u4eba\uff0c\u56e0\u4e3a\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u7aef\u4e4b\u95f4\u4e5f\u6ca1\u6709\u66f4\u591a\u5df2\u5171\u4eab\u7684\u4fe1\u606f\u4e86\u3002\u89e3\u51b3\u7684\u529e\u6cd5\u5c31\u662f\u589e\u52a0\u4e00\u4e2a\u53ea\u6709\u5b83\u4eec\u4e24\u8005\u624d\u77e5\u9053\u7684\u4f1a\u8bdd\u5bc6\u94a5(session key)\u3002\n\n>>> \u4f46\u662f Charon \u5982\u4f55\u5c06\u4f1a\u8bdd\u5bc6\u94a5\u5206\u53d1\u7ed9\u7528\u6237\u548c\u670d\u52a1\u662f\u4e2a\u95ee\u9898\u3002\u4e00\u5f00\u59cb Athena \u60f3\u7684\u662f\u2014\u2014\u76f4\u63a5\u5728 Charon \u7ed9\u7528\u6237\u7684\u56de\u590d\u4e2d\u540c\u65f6\u63d0\u4f9b\u4f1a\u8bdd\u5bc6\u94a5\u548c\u7968\u8bc1 sessionkey|ticket \uff1b\u7ed9\u670d\u52a1\u5206\u53d1\u4f1a\u8bdd\u5bc6\u94a5\u662f\u901a\u8fc7\u628a\u4f1a\u8bdd\u5bc6\u94a5\u5305\u542b\u5728\u52a0\u5bc6\u7684\u7968\u8bc1\u91cc\u9762 ticket(enc{sessionkey:username:address:servicename:lifespan:timestamp}) \u3002\n\n>>> \u5f53\u4f60\u60f3\u83b7\u5f97\u4e00\u9879\u670d\u52a1\u65f6\uff0c\u5ba2\u6237\u7aef\u4f1a\u5148\u6784\u5efa\u4e00\u4e2a AUTHENTICATOR-\u8eab\u4efd\u9a8c\u8bc1\u5668 \uff0c\u5b83\u5305\u542b\u7528\u6237\u540d\u548c\u7f51\u7edc\u5730\u5740\uff0c\u5e76\u4f7f\u7528\u4e0a\u9762\u7684\u4f1a\u8bdd\u5bc6\u94a5\u52a0\u5bc6 sessionkey_enc{username:address} \uff0c\u7136\u540e\u5c06\u5176\u53d1\u9001\u5230\u670d\u52a1\u7aef\uff0c\u8be5\u670d\u52a1\u8fd8\u65e0\u6cd5\u89e3\u5bc6\u8eab\u4efd\u9a8c\u8bc1\u5668\uff0c\u56e0\u4e3a\u5b83\u6ca1\u6709\u4f1a\u8bdd\u5bc6\u94a5\u3002\u8be5\u5bc6\u94a5\u5728\u7968\u8bc1\u4e2d\uff0c\u56e0\u6b64\u670d\u52a1\u9996\u5148\u89e3\u5bc6\u7968\u8bc1\u3002\u89e3\u5bc6\u7968\u8bc1\u4e4b\u540e\uff0c\u82e5\u7968\u8bc1\u8fd8\u5728\u6709\u6548\u671f\u5185\uff0c\u518d\u53bb\u7528\u5f97\u5230\u7684\u4f1a\u8bdd\u5bc6\u94a5\u6765\u89e3\u5bc6\u8eab\u4efd\u9a8c\u8bc1\u5668\u3002\u5982\u679c\u89e3\u5bc6\u987a\u5229\u8fdb\u884c\uff0c\u5219\u670d\u52a1\u4f1a\u62ff\u5230\u5176\u4e2d\u7684\u7528\u6237\u540d\u548c\u7f51\u7edc\u5730\u5740\u3002\u8be5\u670d\u52a1\u4f1a\u6839\u636e\u7968\u8bc1\u4e2d\u7684\u59d3\u540d\u548c\u5730\u5740\u4ee5\u53ca\u53d1\u9001\u7968\u8bc1\u7684\u4eba\u7684\u59d3\u540d\u548c\u5730\u5740\u4ee5\u53ca\u8eab\u4efd\u9a8c\u8bc1\u5668\u6765\u8fdb\u884c\u6821\u9a8c\u3002\u5982\u679c\u4e00\u5207\u90fd\u5339\u914d\uff0c\u5219\u670d\u52a1\u5df2\u786e\u5b9a\u7968\u8bc1\u53d1\u9001\u8005\u786e\u5b9e\u662f\u7968\u8bc1\u7684\u771f\u6b63\u6240\u6709\u8005\u3002\n\n>>> \u5373\u4fbf\u662f\u4e0a\u9762\u8fd9\u79cd\u8bbe\u8ba1\u4e5f\u65e0\u6cd5\u89e3\u51b3\u91cd\u653e\u7684\u95ee\u9898\uff0c\u56e0\u4e3a\u653b\u51fb\u8005\u53ef\u4ee5\u76d1\u542c\u83b7\u53d6 Charon \u76f4\u63a5\u660e\u6587\u8fd4\u56de\u7ed9\u7528\u6237\u7684\u4f1a\u8bdd\u5bc6\u94a5\uff0c\u62ff\u5230\u4e86\u4f1a\u8bdd\u5bc6\u94a5\u4e4b\u540e\u6211\u4e00\u6837\u53ef\u4ee5\u901a\u8fc7\u4f2a\u9020\u6570\u636e\u5305\u6765\u7ed5\u8fc7\u6570\u636e\u5408\u6cd5\u6027\u6821\u9a8c\uff0c\u771f\u6b63\u6709\u6548\u7684\u529e\u6cd5\u662f\u589e\u52a0\u4e00\u4e2a\u68c0\u67e5\u8ba9\u8eab\u4efd\u9a8c\u8bc1\u5668\u53ea\u53ef\u4f7f\u7528\u4e00\u6b21\u4e0d\u80fd\u88ab\u91cd\u590d\u4f7f\u7528\u3002\n\n>>> \u5982\u679c\u76f4\u63a5\u6309\u7167\u4e0a\u9762\u8fd9\u4e2a\u601d\u8def\u6765\u7406\u89e3\uff0c\u5176\u5b9e\u8bbe\u8ba1\u8fd8\u662f\u6709\u95ee\u9898\u7684\uff0c\u4e0d\u8fc7 Athena \u540e\u6765\u53c8\u6309\u7167\u5979\u7684\u8bf4\u6cd5\u8bb2\u4e86\u4e00\u904d\uff0c\u624d\u7406\u89e3\u5b9e\u9645\u6d41\u7a0b\uff1a\n\nclient->Charon: username\nCharon->client: userpass_enc{sessionkey,tgt}\nCharon->server: servicepass_enc{sessionkey:username:address:servicename:lifespan:timestamp}\nclient \u6210\u529f\u89e3\u5bc6 Charon \u8fd4\u56de\u7684\u6570\u636e\u5305\uff0c\u53ef\u4ee5\u62ff\u5230 sessionkey,tgt \u4fe1\u606f\uff0ctgt\u7684\u5185\u5bb9\u662f\u52a0\u5bc6\u7684{sessionkey:username:address:servicename:lifespan:timestamp}\uff1b\n\nclient->TGS: sessionkey_enc{authenticator(username:address)}, tgt, username,address,servicename\n\nTGS->client: sessionkey2\nTGS->server: sessionkey2\n...\n\n\u4e0a\u9762\u7684\u65b9\u6848\u901a\u8fc7\u201c\u4e00\u6b21\u4e00\u5bc6\u201d\u89e3\u51b3\u4e86\u4fe1\u606f\u4f20\u8f93\u6cc4\u6f0f\u7684\u95ee\u9898\uff0c\u8ba9 client \u548c TGS \u4ee5\u53ca service \u5206\u522b\u5177\u6709\u4e86 2\u5bf9 \u4f1a\u8bdd\u5bc6\u94a5(sessionkey)\uff0c\u4ece\u800c\u52a0\u5f3a\u4e86\u8ba4\u8bc1\u7684\u5b89\u5168\u6027\u3002\u4f46\u662f\u8fd8\u5b58\u5728\u865a\u5047\u670d\u52a1\u5668\u7684\u53ef\u80fd\uff0c\u6240\u4ee5\u9700\u8981\u53cc\u5411\u9a8c\u8bc1\u3002\u4e0a\u9762\u7684\u6d41\u7a0b\u4e2d\uff0c\u670d\u52a1\u7aef\u9a8c\u8bc1\u4e86\u5ba2\u6237\u7aef\u7684\u771f\u5b9e\u6027\uff0c\u4f46\u662f\u5ba2\u6237\u7aef\u5e76\u6ca1\u6709\u9a8c\u8bc1\u670d\u52a1\u7aef\u3002\u6240\u4ee5\u518d\u52a0\u4e00\u4e2a\u6d41\u7a0b\uff0c\u5ba2\u6237\u7aef\u53d1\u9001\u989d\u5916\u7684\u4e00\u4e2a\u52a0\u5bc6\u8bf7\u6c42\uff0c\u82e5\u670d\u52a1\u7aef\u53ef\u4ee5\u6b63\u5e38\u89e3\u5bc6\uff0c\u5219\u5ba2\u6237\u7aef\u4e5f\u5c31\u9a8c\u8bc1\u4e86\u670d\u52a1\u7aef\uff0c\u5b8c\u6210\u4e86\u53cc\u5411\u9a8c\u8bc1\u3002\n\n\n\n\u7b2c\u4e8c\u5929\u65e9\u6668\u5728 Euripides \u7684\u529e\u516c\u5ba4\u91cc\u3002Athena \u6572\u4e86\u6572\u95e8\u3002\n\nEuripides: \u4f60\u90fd\u6709\u9ed1\u773c\u5708\u4e86\u3002 You've got rings under your eyes this morning.\n\nAthena: \u55ef\uff0c\u4f60\u77e5\u9053\u7684\u3002\u53c8\u662f\u4e00\u4e2a\u6f2b\u957f\u7684\u591c\u665a\u3002 Well, you know. Another one of those long nights.\nEuripides: \u4f60\u89e3\u51b3\u91cd\u653e\u7684\u95ee\u9898\u4e86\u5417\uff1f Have you solved the replay problem?\n\nAthena: \u6211\u8ba4\u4e3a\u662f\u7684\u3002 I think so.\nEuripides: \u8bf7\u5750\u3002 Have a seat.\n\nShe does.\nAthena: \u50cf\u5f80\u5e38\u4e00\u6837\uff0c\u6211\u5f97\u518d\u6b21\u91cd\u7533\u4e0a\u6b21\u9057\u7559\u7684\u95ee\u9898\u2014\u2014\u95e8\u7968\u53ef\u4ee5\u5728\u6709\u9650\u7684\u65f6\u95f4\u8de8\u5ea6\u5185\u91cd\u590d\u4f7f\u7528\uff0c\u6bd4\u5982\u516b\u5c0f\u65f6\u3002\u5982\u679c\u6709\u4eba\u7a83\u53d6\u4e86\u4f60\u7684\u95e8\u7968\u5e76\u9009\u62e9\u5728\u95e8\u7968\u5230\u671f\u524d\u91cd\u653e\uff0c\u6211\u4eec\u5c06\u65e0\u6cd5\u963b\u6b62\u4ed6\u4eec\u3002 As usual, I feel compelled to restate the problem. Tickets are reusable within a limited timespan, say eight hours. If someone steals your tickets and chooses to replay them before they expire, we can't do anything to stop them.\nEuripides: \u8fd9\u5c31\u662f\u95ee\u9898\u6240\u5728\u3002 That's the problem.\n\nAthena: \u5982\u679c\u6211\u4eec\u5c06\u7968\u8bbe\u8ba1\u6210\u4e0d\u80fd\u91cd\u590d\u4f7f\u7528\uff0c\u5c31\u53ef\u4ee5\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u3002 We could beat the problem if we designed the tickets so they couldn't be reusable.\nEuripides: \u4f46\u662f\u8fd9\u6837\u7684\u8bdd\u6bcf\u6b21\u4f60\u60f3\u4f7f\u7528\u7f51\u7edc\u670d\u52a1\u65f6\uff0c\u4f60\u90fd\u5fc5\u987b\u83b7\u5f97\u4e00\u5f20\u65b0\u7968\u3002 But then you would have to get a new ticket every time you wanted to use a network service.\n\nAthena: \n\u662f\u7684\uff0c\u8fd9\u5145\u5176\u91cf\u662f\u4e00\u4e2a\u7b28\u62d9\u7684\u89e3\u51b3\u65b9\u6848\u3002\u5443\uff0c\u6211\u8be5\u5982\u4f55\u7ee7\u7eed\u6211\u4eec\u7684\u8ba8\u8bba\u5462\uff1f\nRight. That is a clumsy solution at best. (Pause.) Ah, how do I proceed with my argument? (She ponders for a moment.)\n\n\u90a3\u597d\uff0c\u6211\u518d\u91cd\u7533\u4e00\u4e0b\u8fd9\u4e2a\u95ee\u9898\uff0c\u8fd9\u6b21\u662f\u4ee5\u9700\u6c42\u7684\u5f62\u5f0f\uff0c\u7f51\u7edc\u670d\u52a1\u5fc5\u987b\u80fd\u591f\u8bc1\u660e\u4f7f\u7528\u7968\u7684\u4eba\u4e0e\u7b7e\u53d1\u7968\u7684\u4eba\u662f\u540c\u4e00\u4e2a\u4eba\u3002\nAll right, I'm going to restate the problem again, this time in the form of a requirement. A network service must be able to prove that the person using a ticket is the same person to whom that ticket was issued.\n\n\u8ba9\u6211\u518d\u6b21\u8ddf\u8e2a\u8eab\u4efd\u9a8c\u8bc1\u8fc7\u7a0b\uff0c\u770b\u770b\u662f\u5426\u53ef\u4ee5\u627e\u51fa\u4e00\u79cd\u9002\u5f53\u7684\u65b9\u5f0f\u6765\u8bf4\u660e\u6211\u5bf9\u8fd9\u4e2a\u95ee\u9898\u7684\u89e3\u51b3\u65b9\u6848\u3002\nLet me trace the authentication process again and see if I can tease out an appropriate way to illustrate my solution to this problem.\n\n\u6211\u60f3\u4f7f\u7528\u67d0\u4e2a\u7f51\u7edc\u670d\u52a1\u3002\u6211\u901a\u8fc7\u5728\u6211\u7684\u5de5\u4f5c\u7ad9\u4e0a\u542f\u52a8\u5ba2\u6237\u7aef\u7a0b\u5e8f\u6765\u8bbf\u95ee\u8be5\u670d\u52a1\u3002\u5ba2\u6237\u7aef\u5411\u670d\u52a1\u673a\u5668\u53d1\u9001\u4e09\u6837\u4e1c\u897f\u2014\u2014\u6211\u7684\u8d26\u53f7\u3001\u6211\u5de5\u4f5c\u7ad9\u7684\u7f51\u7edc\u5730\u5740\u548c\u9002\u5f53\u7684\u670d\u52a1\u7968\u8bc1\u3002\nI want to use a certain network service. I access that service by starting a client program on my workstation. The client sends three things to the service machine-- my name, my workstation's network address, and the appropriate service ticket.\n\n\u7968\u8bc1\u5305\u542b\u7b7e\u53d1\u7ed9\u7684\u4eba\u7684\u8d26\u53f7\u4ee5\u53ca\u8be5\u4eba\u5728\u83b7\u5f97\u7968\u8bc1\u65f6\u6240\u4f7f\u7528\u7684\u5de5\u4f5c\u7ad9\u7684\u5730\u5740\uff0c\u5b83\u8fd8\u5305\u542b\u751f\u547d\u5468\u671f\u5f62\u5f0f\u7684\u5230\u671f\u65f6\u95f4\u548c\u65f6\u95f4\u6233\u3002\u6240\u6709\u8fd9\u4e9b\u4fe1\u606f\u90fd\u4f7f\u7528\u5df2\u5728 Charon \u4e2d\u7684\u670d\u52a1\u5bc6\u7801\u8fdb\u884c\u52a0\u5bc6\u3002\nThe ticket contains the name of the person it was issued to and the address of the workstation that person was using when he or she acquired the ticket. It also contains an expiration date in the form of a lifespan and a timestamp. All this information has been encrypted in the service's Charon password.\n\n\u6211\u4eec\u5f53\u524d\u7684\u8eab\u4efd\u9a8c\u8bc1\u65b9\u6848\u4f9d\u8d56\u4e8e\u4ee5\u4e0b\u6d4b\u8bd5\uff1a\nOur current authentication scheme relies on the following tests:\n\n\u8be5\u670d\u52a1\u53ef\u4ee5\u89e3\u5bc6\u7968\u8bc1\u5417\uff1f Can the service decrypt the ticket?\n\u7968\u8bc1\u8fc7\u671f\u4e86\u5417\uff1f Has the ticket expired?\n\u7968\u8bc1\u4e2d\u6307\u5b9a\u7684\u59d3\u540d\u548c\u5de5\u4f5c\u7ad9\u5730\u5740\u662f\u5426\u4e0e\u53d1\u9001\u7968\u8bc1\u7684\u4eba\u7684\u59d3\u540d\u548c\u5730\u5740\u4e00\u81f4\uff1f Do the name and workstation address specified in the ticket match the name and address of the person who sent the ticket?\n\n\u8fd9\u4e9b\u6d4b\u8bd5\u8bc1\u660e\u4e86\u4ec0\u4e48\uff1f\u7b2c\u4e00\u4e2a\u6d4b\u8bd5\u53ef\u4ee5\u8bc1\u660e\u8fd9\u5f20\u7968\u662f\u4e0d\u662f\u6765\u81ea Charon \u3002\u5982\u679c\u7968\u8bc1\u65e0\u6cd5\u89e3\u5bc6\uff0c\u5219\u5b83\u5e76\u975e\u6765\u81ea Charon \u3002\u56e0\u4e3a Charon \u4f1a\u4f7f\u7528\u670d\u52a1\u7684\u5bc6\u7801\u5bf9\u7968\u8bc1\u8fdb\u884c\u52a0\u5bc6\u3002Charon \u548c\u670d\u52a1\u662f\u552f\u4e00\u77e5\u9053\u670d\u52a1\u5bc6\u7801\u7684\u4e24\u4e2a\u5b9e\u4f53\u3002\u5982\u679c\u7968\u8bc1\u89e3\u5bc6\u6210\u529f\uff0c\u670d\u52a1\u5c31\u77e5\u9053\u5b83\u6765\u81ea\u771f\u6b63\u7684 Charon\u3002\u8fd9\u4e2a\u6d4b\u8bd5\u53ef\u4ee5\u9632\u6b62\u4eba\u4eec\u5236\u9020\u5047\u7684 Charon \u7968\u8bc1\u3002\nWhat do these tests prove? The first test proves that the ticket either did or did not come from Charon. If the ticket cannot be decrypted, it did not come from the real Charon. The real Charon would have encrypted the ticket with the service's password. Charon and the service are the only two entities that know the service's password. If the ticket decrypts successfully, the service knows that it came from the real Charon. This test prevents folks from building fake Charon tickets.\n\n\u7b2c\u4e8c\u4e2a\u6d4b\u8bd5\u68c0\u67e5\u7968\u8bc1\u7684\u751f\u547d\u5468\u671f\u548c\u65f6\u95f4\u6233\u3002\u5982\u679c\u5b83\u5df2\u8fc7\u671f\uff0c\u670d\u52a1\u5c06\u62d2\u7edd\u8be5\u7968\u8bc1\u3002\u8fd9\u4e2a\u6d4b\u8bd5\u963b\u6b62\u4eba\u4eec\u4f7f\u7528\u65e7\u7968\u8bc1\uff0c\u5b83\u53ef\u80fd\u662f\u88ab\u76d7\u7684\u7968\u8bc1\u3002\nThe second test checks the ticket's lifespan and timestamp. If it has expired, the service rejects the ticket. This test stops people from using old tickets, tickets that perhaps were stolen.\n\n\u7b2c\u4e09\u4e2a\u6d4b\u8bd5\u68c0\u67e5\u7968\u8bc1\u7528\u6237\u7684\u59d3\u540d\u548c\u5730\u5740\u4e0e\u7968\u4e2d\u6307\u5b9a\u7684\u4eba\u7684\u59d3\u540d\u548c\u5730\u5740\u3002\u5982\u679c\u6d4b\u8bd5\u5931\u8d25\uff0c\u5219\u63d0\u4ea4\u7968\u8bc1\u7684\u7528\u6237\uff08\u53ef\u80fd\u662f\u5077\u5077\u6478\u6478\u5730\uff09\u83b7\u5f97\u4e86\u53e6\u4e00\u4e2a\u4eba\u7684\u7968\u8bc1\u3002\u8fd9\u4e2a\u7968\u8bc1\u5f53\u7136\u88ab\u62d2\u7edd\u4e86\u3002\nThe third test checks the ticket-user's name and address against the name and address of the person specified in the ticket. If the test fails, the ticket-user has obtained (perhaps surreptitiously) another person's ticket. The ticket is of course rejected.\n\n\u5982\u679c\u59d3\u540d\u548c\u5730\u5740\u786e\u5b9e\u5339\u914d\uff0c\u90a3\u6d4b\u8bd5\u8bc1\u660e\u4e86\u4ec0\u4e48\uff1f\u4ec0\u4e48\u4e5f\u6ca1\u6709\u8bc1\u660e\u3002Scallywags \u53ef\u4ee5\u4ece\u7f51\u7edc\u4e0a\u7a83\u53d6\u7968\u8bc1\uff0c\u9002\u5f53\u5730\u66f4\u6539\u4ed6\u4eec\u7684\u5de5\u4f5c\u7ad9\u5730\u5740\u548c\u7528\u6237\u540d\uff0c\u5e76\u63a0\u593a\u5176\u4ed6\u4eba\u7684\u8d44\u6e90\u3002\u6b63\u5982\u6211\u6628\u5929\u6307\u51fa\u7684\uff0c\u95e8\u7968\u53ef\u4ee5\u5728\u6ca1\u6709\u8fc7\u671f\u7684\u60c5\u51b5\u4e0b\u88ab\u91cd\u653e\u3002\u5b83\u4eec\u53ef\u4ee5\u91cd\u653e\uff0c\u56e0\u4e3a\u670d\u52a1\u65e0\u6cd5\u786e\u5b9a\u53d1\u9001\u7968\u8bc1\u7684\u4eba\u662f\u5426\u662f\u7968\u8bc1\u7684\u5408\u6cd5\u6240\u6709\u8005\u3002\nIf the names and addresses do match, what has the test proved? Nothing. Scallywags can steal tickets from the network, change their workstation addresses and usernames appropriately, and rifle other folks resources. As I pointed out yesterday, tickets can be replayed as long as they haven't expired. They can be replayed because a service cannot determine that the person sending the ticket is actually the ticket's legitimate owner.\n\n\u670d\u52a1\u672c\u8eab\u65e0\u6cd5\u505a\u51fa\u6b64\u51b3\u5b9a\uff0c\u56e0\u4e3a\u5b83\u4e0d\u4e0e\u7528\u6237\u5171\u4eab\u5bc6\u7801\u3002\u8fd9\u6837\u770b\u3002\u5982\u679c\u6211\u5728 Elsinore \u5b88\u671b\uff0c\u4f60\u77e5\u9053\u8fd9\u662f Hamlet \u4e2d\u7684\u57ce\u5821\uff0c\u4f60\u5e94\u8be5\u63a5\u66ff\u6211\uff0c\u4f46\u9664\u975e\u4f60\u80fd\u63d0\u4f9b\u6b63\u786e\u7684\u5bc6\u7801\uff0c\u5426\u5219\u6211\u4e0d\u5e94\u8be5\u8ba9\u4f60\u4ee3\u66ff\u6211\u7684\u4f4d\u7f6e\u3002\u8fd9\u5c31\u662f\u6211\u4eec\u4e24\u4e2a\u5171\u4eab\u5bc6\u7801\u7684\u60c5\u51b5\u3002\u8fd9\u53ef\u80fd\u662f\u5176\u4ed6\u4eba\u4e3a\u6240\u6709\u5b88\u671b\u7684\u4eba\u7f16\u9020\u7684\u5bc6\u7801\u3002\nThe service cannot make this determination because it does not share a secret with the user. Look at it this way. If I'm on watch at Elsinore, you know, the castle in Hamlet, and you are supposed to relieve me, I'm not supposed to let you take my place unless you can provide the correct password. That's the case where the two of us share a secret. And it's probably a secret that someone else made up for everyone who stands on watch.\n\n\u6240\u4ee5\u6211\u6628\u665a\u5728\u60f3\uff0c\u4e3a\u4ec0\u4e48\u4e0d\u8ba9 Charon \u4e3a\u5408\u6cd5\u7684\u7968\u636e\u62e5\u6709\u8005\u7f16\u4e00\u4e2a\u5bc6\u7801\u6765\u4e0e\u670d\u52a1\u5171\u4eab\u5462\uff1fCharon \u5c06\u6b64\u4f1a\u8bdd\u5bc6\u94a5\u7684\u526f\u672c\u63d0\u4f9b\u7ed9\u670d\u52a1\uff0c\u4e5f\u540c\u65f6\u63d0\u4f9b\u7ed9\u7528\u6237\u3002\u5f53\u670d\u52a1\u6536\u5230\u7528\u6237\u7684\u7968\u65f6\uff0c\u5b83\u53ef\u4ee5\u4f7f\u7528\u4f1a\u8bdd\u5bc6\u94a5\u6765\u6d4b\u8bd5\u7528\u6237\u7684\u8eab\u4efd\u3002\nSo I was thinking last night, why not have Charon make up a password for the legitimate ticket-owner to share with the service? Charon gives a copy of this session key to the service, and a copy to the user. When the service receives a ticket from a user, it can use the session key to test the user's identity.\n\nEuripides: \u7b49\u4e00\u7b49\u3002Charon \u5c06\u5982\u4f55\u7ed9\u53cc\u65b9\u4f1a\u8bdd\u5bc6\u94a5\uff1f Wait a second. How is Charon going to give both parties the session key?\n\nAthena: \u7968\u8bc1\u62e5\u6709\u8005\u4ece Charon \u83b7\u5f97\u4f1a\u8bdd\u5bc6\u94a5\u4f5c\u4e3a\u56de\u590d\u7684\u4e00\u90e8\u5206\u3002\u50cf\u8fd9\u6837\uff1a The ticket-owner gets the session key as part of the reply from Charon. Like this:\n\u5979\u5728\u9ed1\u677f\u4e0a\u6f66\u8349\u5730\u5199\u7740\uff1a She scrawls the following on a chalkboard:\n\n CHARON REPLY - [sessionkey|ticket]\n\n\u670d\u52a1\u7684\u4f1a\u8bdd\u5bc6\u94a5\u526f\u672c\u5305\u542b\u5728\u7968\u8bc1\u4e2d\uff0c\u670d\u52a1\u5728\u89e3\u5bc6\u7968\u8bc1\u65f6\u83b7\u53d6\u5bc6\u94a5\u3002\u6240\u4ee5\u7968\u662f\u8fd9\u6837\u7684\uff1a The service's copy of the session key comes inside the ticket, and the service gets the key when it decrypts the ticket. So the ticket looks like this:\n\n TICKET - {sessionkey:username:address:servicename:lifespan:timestamp}\n\n\u5f53\u4f60\u60f3\u83b7\u5f97\u4e00\u9879\u670d\u52a1\u65f6\uff0c\u4f60\u542f\u52a8\u7684\u5ba2\u6237\u7aef\u7a0b\u5e8f\u4f1a\u6784\u5efa\u6211\u6240\u8bf4\u7684 AUTHENTICATOR\u3002\u8eab\u4efd\u9a8c\u8bc1\u5668\u5305\u542b\u4f60\u7684\u59d3\u540d\u548c\u5de5\u4f5c\u7ad9\u7684\u5730\u5740\u3002\u5ba2\u6237\u7aef\u4f7f\u7528\u4f1a\u8bdd\u5bc6\u94a5\uff08\u662f\u5728\u8bf7\u6c42\u7968\u8bc1\u65f6\u6536\u5230\u7684\u4f1a\u8bdd\u5bc6\u94a5\u7684\u526f\u672c\uff09\u52a0\u5bc6\u6b64\u4fe1\u606f\u3002\nWhen you want to get to a service, the client program you start builds what I call an AUTHENTICATOR. The authenticator contains your name and your workstation's address. The client encrypts this information with the session key, the copy of the session key you received when you requested the ticket.\n\n AUTHENTICATOR - {username:address} encrypted with session key\n\n\u6784\u5efa\u8eab\u4efd\u9a8c\u8bc1\u5668\u540e\uff0c\u5ba2\u6237\u7aef\u5c06\u5176\u548c\u7968\u8bc1\u53d1\u9001\u5230\u670d\u52a1\u3002\u8be5\u670d\u52a1\u8fd8\u65e0\u6cd5\u89e3\u5bc6\u8eab\u4efd\u9a8c\u8bc1\u5668\uff0c\u56e0\u4e3a\u5b83\u6ca1\u6709\u4f1a\u8bdd\u5bc6\u94a5\u3002\u8be5\u5bc6\u94a5\u5728\u7968\u8bc1\u4e2d\uff0c\u56e0\u6b64\u670d\u52a1\u9996\u5148\u89e3\u5bc6\u7968\u8bc1\u3002\nAfter building the authenticator, the client sends it and the ticket to the service. The service cannot decrypt the authenticator yet because it doesn't have the session key. That key is in the ticket, so the service first decrypts the ticket.\n\n\u89e3\u5bc6\u7968\u8bc1\u540e\uff0c\u670d\u52a1\u6700\u7ec8\u5f97\u5230\u4ee5\u4e0b\u4fe1\u606f\uff1a After decrypting the ticket, the service ends up with the the following information:\n\nThe ticket's lifespan and timestamp;\nThe ticket-owner's name;\nThe ticket-owner's network address;\nThe session key.\n\n\u8be5\u670d\u52a1\u4f1a\u68c0\u67e5\u7968\u8bc1\u662f\u5426\u5df2\u8fc7\u671f\u3002\u5982\u679c\u5728\u8fd9\u65b9\u9762\u4e00\u5207\u6b63\u5e38\uff0c\u5219\u670d\u52a1\u63a5\u4e0b\u6765\u4f7f\u7528\u4f1a\u8bdd\u5bc6\u94a5\u6765\u89e3\u5bc6\u8eab\u4efd\u9a8c\u8bc1\u5668\u3002\u5982\u679c\u89e3\u5bc6\u987a\u5229\u8fdb\u884c\uff0c\u5219\u670d\u52a1\u4f1a\u4ee5\u7528\u6237\u540d\u548c\u7f51\u7edc\u5730\u5740\u7ed3\u675f\u3002\u8be5\u670d\u52a1\u4f1a\u6839\u636e\u7968\u8bc1\u4e2d\u7684\u59d3\u540d\u548c\u5730\u5740\u4ee5\u53ca\u53d1\u9001\u7968\u8bc1\u7684\u4eba\u7684\u59d3\u540d\u548c\u5730\u5740\u4ee5\u53ca\u8eab\u4efd\u9a8c\u8bc1\u5668\u6765\u6d4b\u8bd5\u6b64\u4fe1\u606f\u3002\u5982\u679c\u4e00\u5207\u90fd\u5339\u914d\uff0c\u5219\u670d\u52a1\u5df2\u786e\u5b9a\u7968\u8bc1\u53d1\u9001\u8005\u786e\u5b9e\u662f\u7968\u8bc1\u7684\u771f\u6b63\u6240\u6709\u8005\u3002\nThe service checks to see if the ticket has expired. If all is well in that regard, the service next uses the session key to decrypt the authenticator. If the decryption proceeds without a hitch, the service ends up with a username and a network address. The service tests this information against the name and address found in the ticket, AND the name and address of the person who sent the ticket and authenticator. If everything matches, the service has determined that the ticket-sender is indeed the ticket's real owner.\n\nAthena \u987f\u4e86\u987f\uff0c\u6e05\u4e86\u6e05\u55d3\u5b50\uff0c\u559d\u4e86\u70b9\u5496\u5561\u3002 Athena pauses, clears her throat, drinks some coffee.\n\n\u6211\u8ba4\u4e3a\u4f1a\u8bdd\u5bc6\u94a5\u9a8c\u8bc1\u6d41\u7a0b\u53ef\u4ee5\u89e3\u51b3\u91cd\u653e\u95ee\u9898\u3002 I think the session key-authenticator business takes care of the replay problem.\n\nEuripides: \u4e5f\u8bb8\u5427\u3002\u4f46\u6211\u60f3\u77e5\u9053\u2026\u2026\u8981\u7834\u89e3\u6b64\u7248\u672c\u7684\u7cfb\u7edf\uff0c\u6211\u5fc5\u987b\u62e5\u6709\u8be5\u670d\u52a1\u7684\u9002\u5f53\u8eab\u4efd\u9a8c\u8bc1\u5668\u3002 Maybe. But I wonder . . . To break this version of the system, I must have the proper authenticator for the service.\n\nAthena: \u4e0d\u3002\u4f60\u5fc5\u987b\u540c\u65f6\u62e5\u6709\u8eab\u4efd\u9a8c\u8bc1\u5668\u548c\u670d\u52a1\u7968\u8bc1\u3002\u6ca1\u6709\u7968\u8bc1\u7684\u9a8c\u8bc1\u5668\u4e00\u6587\u4e0d\u503c\uff0c\u56e0\u4e3a\u670d\u52a1\u4e0d\u80fd\u5728\u6ca1\u6709\u9996\u5148\u83b7\u5f97\u9002\u5f53\u7684\u4f1a\u8bdd\u5bc6\u94a5\u7684\u60c5\u51b5\u4e0b\u89e3\u5bc6\u9a8c\u8bc1\u5668\uff0c\u5e76\u4e14\u670d\u52a1\u4e0d\u80fd\u5728\u6ca1\u6709\u9996\u5148\u89e3\u5bc6\u7968\u8bc1\u7684\u60c5\u51b5\u4e0b\u83b7\u5f97\u9002\u5f53\u7684\u4f1a\u8bdd\u5bc6\u94a5\u3002 No. You must have the authenticator AND the ticket for the service. The authenticator is worthless without the ticket because the service cannot decrypt the authenticator without first having the appropriate session key, and the service cannnot get the appropriate session key without first decrypting the ticket.\nEuripides: \u597d\u7684\uff0c\u6211\u660e\u767d\u4e86\uff0c\u4f46\u662f\u4f60\u4e0d\u662f\u8bf4\u5f53\u5ba2\u6237\u7aef\u7a0b\u5e8f\u8054\u7cfb\u670d\u52a1\u5668\u65f6\uff0c\u5b83\u4f1a\u4e00\u8d77\u53d1\u9001\u7968\u8bc1\u548c\u5339\u914d\u7684\u8eab\u4efd\u9a8c\u8bc1\u5668\u5417\uff1f Okay, I understand that, but didn't you say that when a client program contacts the server, it sends the ticket and matching authenticator together?\n\nAthena: \u662f\u7684\uff0c\u6211\u60f3\u6211\u662f\u8fd9\u4e48\u8bf4\u7684\u3002 Yes, I guess I said that.\nEuripides: \u5982\u679c\u8fd9\u5c31\u662f\u5b9e\u9645\u60c5\u51b5\uff0c\u662f\u4ec0\u4e48\u963b\u6b62\u6211\u540c\u65f6\u7a83\u53d6\u7968\u8bc1\u548c\u8eab\u4efd\u9a8c\u8bc1\u5668\uff1f\u6211\u786e\u4fe1\u6211\u53ef\u4ee5\u7f16\u5199\u4e00\u4e2a\u7a0b\u5e8f\u6765\u5b8c\u6210\u8fd9\u9879\u5de5\u4f5c\u3002\u5982\u679c\u6211\u6709\u7968\u548c\u5b83\u7684\u9a8c\u8bc1\u5668\uff0c\u6211\u76f8\u4fe1\u53ea\u8981\u7968\u8fd8\u6ca1\u6709\u8fc7\u671f\uff0c\u6211\u5c31\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e24\u8005\u3002\u6211\u53ea\u9700\u8981\u9002\u5f53\u5730\u66f4\u6539\u6211\u7684\u5de5\u4f5c\u7ad9\u5730\u5740\u548c\u7528\u6237\u540d\u3002\u4f60\u89c9\u5f97\u5462\uff1f If that's what actually happens, what prevents me from stealing the ticket and authenticator at the same time? I'm sure I could write a program to do the job. If I've got the ticket and its authenticator, I believe I can use the two as long as the ticket has not expired. I just have to change my workstation address and username appropriately. True?\n\nAthena: \u6ca1\u9519\u3002\u8fd9\u592a\u4ee4\u4eba\u6cae\u4e27\u4e86\u3002 (Biting her lip) True. How dispiriting.\nEuripides: \u7b49\u7b49\uff0c\u7b49\u7b49\uff0c\u7b49\u7b49\uff01\u8fd9\u6ca1\u4ec0\u4e48\u5927\u4e0d\u4e86\u7684\u3002\u7968\u8bc1\u53ea\u8981\u6ca1\u6709\u8fc7\u671f\u5c31\u53ef\u4ee5\u91cd\u590d\u4f7f\u7528\uff0c\u4f46\u8fd9\u5e76\u4e0d\u610f\u5473\u7740\u8eab\u4efd\u9a8c\u8bc1\u5668\u5fc5\u987b\u662f\u53ef\u91cd\u590d\u4f7f\u7528\u7684\u3002\u5047\u8bbe\u6211\u4eec\u5c06\u7cfb\u7edf\u8bbe\u8ba1\u4e3a\u9a8c\u8bc1\u5668\u53ea\u80fd\u4f7f\u7528\u4e00\u6b21\u3002\u8fd9\u80fd\u7ed9\u6211\u4eec\u5e26\u6765\u4ec0\u4e48\u5417\uff1f Wait, wait, wait! This isn't such a big deal. Tickets are reusable as long as they haven't expired, but that doesn't mean that authenticators have to be reusable. Suppose we design the system so that authenticators can only be used once. Does that buy us anything?\n\nAthena: \n\u55ef\uff0c\u5b83\u53ef\u80fd\u3002\u8ba9\u6211\u4eec\u770b\u770b\uff0c\u5ba2\u6237\u7aef\u7a0b\u5e8f\u6784\u5efa\u8eab\u4efd\u9a8c\u8bc1\u5668\uff0c\u7136\u540e\u5c06\u5176\u4e0e\u7968\u8bc1\u4e00\u8d77\u53d1\u9001\u5230\u670d\u52a1\u3002\u5f53\u7968\u8bc1\u548c\u8eab\u4efd\u9a8c\u8bc1\u5668\u4ece\u6211\u7684\u5de5\u4f5c\u7ad9\u79fb\u52a8\u5230\u670d\u52a1\u5668\u65f6\uff0c\u4f60\u53ef\u4ee5\u590d\u5236\u5b83\u4eec\u3002\u4f46\u662f\u7968\u8bc1\u548c\u8eab\u4efd\u9a8c\u8bc1\u5668\u5728\u4f60\u53d1\u9001\u526f\u672c\u4e4b\u524d\u5230\u8fbe\u670d\u52a1\u5668\u3002\u5982\u679c\u9a8c\u8bc1\u5668\u53ea\u80fd\u4f7f\u7528\u4e00\u6b21\uff0c\u90a3\u4e48\u4f60\u7684\u526f\u672c\u5c31\u6ca1\u6709\u7528\uff0c\u5e76\u4e14\u5f53\u4f60\u5c1d\u8bd5\u91cd\u653e\u4f60\u7684\u7968\u8bc1\u548c\u9a8c\u8bc1\u5668\u65f6\u4f60\u4f1a\u5931\u8d25\u3002\nWell, it might. Let's see, the client program builds the authenticator, then sends it with the ticket to the service. You copy both ticket and authenticator as they move from my workstation to the server. But the ticket and authenticator arrive at the server before you can send your copies. If the authenticator can only be used once, your copy of it is no good, and you lose when you attempt to replay your ticket and authenticator.\n\n\u55ef\uff0c\u8fd9\u662f\u4e00\u79cd\u529e\u6cd5\u3002\u56e0\u6b64\uff0c\u6211\u4eec\u6240\u8981\u505a\u7684\u5c31\u662f\u53d1\u660e\u4e00\u79cd\u65b9\u6cd5\uff0c\u4f7f\u8eab\u4efd\u9a8c\u8bc1\u5668\u6210\u4e3a\u4e00\u6b21\u6027\u53ef\u7528\u7684\u4e1c\u897f\u3002 Well, that's a relief. So all we have to do is invent a way to make the authenticator a one-time usable thing.\n\nEuripides: \n\n\u6ca1\u95ee\u9898\u3002\u8ba9\u6211\u4eec\u5728\u5b83\u4eec\u4e0a\u9762\u52a0\u4e0a\u4e00\u4e2a\u751f\u547d\u5468\u671f\u548c\u65f6\u95f4\u6233\u3002\u5047\u8bbe\u6bcf\u4e2a\u8eab\u4efd\u9a8c\u8bc1\u5668\u7684\u751f\u547d\u5468\u671f\u4e3a\u51e0\u5206\u949f\u3002\u5f53\u4f60\u60f3\u4f7f\u7528\u670d\u52a1\u65f6\uff0c\u4f60\u7684\u5ba2\u6237\u7aef\u7a0b\u5e8f\u4f1a\u6784\u5efa\u8eab\u4efd\u9a8c\u8bc1\u5668\uff0c\u7528\u5f53\u524d\u65f6\u95f4\u6807\u8bb0\u5b83\uff0c\u7136\u540e\u5c06\u5176\u548c\u7968\u8bc1\u53d1\u9001\u5230\u670d\u52a1\u5668\u3002\nNo problem. Let's just put a lifespan and timestamp on them. Suppose each authenticator has a lifespan of a couple of minutes. When you want to use a service, your client program builds the authenticator, stamps it with the current time, then sends it and the ticket to the server.\n\n\u670d\u52a1\u5668\u63a5\u6536\u5230\u7968\u8bc1\u548c\u8eab\u4efd\u9a8c\u8bc1\u5668\u5e76\u5f00\u59cb\u8fdb\u884c\u6821\u9a8c\u3002\u5f53\u670d\u52a1\u5668\u89e3\u5bc6\u8ba4\u8bc1\u5668\u65f6\uff0c\u5b83\u4f1a\u68c0\u67e5\u8ba4\u8bc1\u5668\u7684\u751f\u547d\u5468\u671f\u548c\u65f6\u95f4\u6233\u3002\u5982\u679c\u8eab\u4efd\u9a8c\u8bc1\u5668\u5c1a\u672a\u8fc7\u671f\uff0c\u5e76\u4e14\u5176\u4ed6\u6240\u6709\u68c0\u67e5\u90fd\u6b63\u786e\uff0c\u5219\u670d\u52a1\u5668\u8ba4\u4e3a\u4f60\u5df2\u901a\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u3002\nThe server receives the ticket and authenticator and goes about its business. When the server decrypts the authenticator, it checks the authenticator's lifespan and timestamp. If the authenticator hasn't expired, and everything else checks properly, the server considers you authenticated.\n\n\u5047\u8bbe\u6211\u5728\u5b83\u4eec\u901a\u8fc7\u7f51\u7edc\u65f6\u590d\u5236\u4e86\u8eab\u4efd\u9a8c\u8bc1\u5668\u548c\u7968\u8bc1\u3002\u6211\u5fc5\u987b\u66f4\u6539\u6211\u7684\u5de5\u4f5c\u7ad9\u7684\u7f51\u7edc\u5730\u5740\u548c\u6211\u7684\u7528\u6237\u540d\uff0c\u800c\u4e14\u6211\u5fc5\u987b\u5728\u51e0\u5206\u949f\u5185\u5b8c\u6210\u8fd9\u4e00\u5207\u3002\u8fd9\u662f\u4e00\u4e2a\u76f8\u5f53\u9ad8\u7684\u8981\u6c42\u3002\u4e8b\u5b9e\u4e0a\uff0c\u6211\u8ba4\u4e3a\u8fd9\u662f\u4e0d\u53ef\u80fd\u7684\u3002\u9664\u975e\u2026\u2026\nSuppose I copied the athenticator and ticket as they crossed the network. I have to change my workstation's network address and my username, and I have to do this all in a couple of minutes. That's a pretty tall order. In fact I don't think it's possible. Unless . . .\n\n\u597d\u5427\uff0c\u8fd9\u662f\u4e00\u4e2a\u6f5c\u5728\u7684\u95ee\u9898\u3002\u5047\u8bbe\u5f53\u7968\u8bc1\u548c\u8eab\u4efd\u9a8c\u8bc1\u5668\u4ece\u4f60\u7684\u5de5\u4f5c\u7ad9\u4f20\u8f93\u5230\u670d\u52a1\u5668\u65f6\uff0c\u6211\u6ca1\u6709\u590d\u5236\u7968\u8bc1\u548c\u9a8c\u8bc1\u5668\uff0c\u800c\u662f\u590d\u5236\u4e86\u6765\u81ea Charon \u7684\u539f\u59cb\u7968\u8bc1\u5305\u2014\u2014\u5f53\u4f60\u8981\u6c42 Charon \u7ed9\u4f60\u4e00\u5f20\u7968\u8bc1\u65f6\u4f60\u6536\u5230\u7684\u6570\u636e\u5305\u3002\nWell, here's a potential problem. Suppose that instead of copying the ticket and authenticator as they travel from your workstation to the server, I copy original ticket packet that comes from Charon, the packet you receive when you ask Charon to give you a ticket.\n\n\u6211\u8bb0\u5f97\uff0c\u8fd9\u4e2a\u6570\u636e\u5305\u4e2d\u6709\u4e24\u4efd\u4f1a\u8bdd\u5bc6\u94a5\uff1a\u4e00\u4efd\u7ed9\u4f60\uff0c\u4e00\u4efd\u7ed9\u670d\u52a1\u3002\u7528\u4e8e\u670d\u52a1\u7684\u4e00\u4e2a\u9690\u85cf\u5728\u7968\u8bc1\u4e2d\uff0c\u6211\u65e0\u6cd5\u627e\u5230\u5b83\uff0c\u4f46\u662f\u53e6\u4e00\u4e2a\uff0c\u4f60\u7528\u6765\u6784\u5efa\u8eab\u4efd\u9a8c\u8bc1\u5668\u7684\u90a3\u4e2a\u5462\uff1f\nThis packet, as I recall, has two copies of the session key in it: one for you and one for the service. The one for the service is hidden in the ticket and I can't get to it, but what about the other one, the one you use to build authenticators?\n\n\u5982\u679c\u6211\u80fd\u5f97\u5230\u4f1a\u8bdd\u5bc6\u94a5\u7684\u526f\u672c\uff0c\u6211\u5c31\u53ef\u4ee5\u6784\u5efa\u81ea\u5df1\u7684\u8eab\u4efd\u9a8c\u8bc1\u5668\uff0c\u5982\u679c\u6211\u80fd\u6784\u5efa\u81ea\u5df1\u7684\u8eab\u4efd\u9a8c\u8bc1\u5668\uff0c\u6211\u5c31\u53ef\u4ee5\u7834\u574f\u7cfb\u7edf\u3002\nIf I can get that copy of the session key, I can build my own authenticators, and if I can build my own authenticators, I can break the system.\n\nAthena: \n\u8fd9\u4e2a\u95ee\u9898\u6211\u6628\u665a\u60f3\u8fc7\uff0c\u4f46\u540e\u6765\u6211\u8ffd\u8e2a\u4e86\u83b7\u53d6\u95e8\u7968\u7684\u8fc7\u7a0b\uff0c\u53d1\u73b0\u7528\u8fd9\u79cd\u65b9\u5f0f\u7a83\u53d6\u8eab\u4efd\u9a8c\u8bc1\u5668\u662f\u4e0d\u53ef\u80fd\u7684\u3002\nThat's something I thought about last night, but then I traced the process of acquiring tickets and found that it wasn't possible to steal authenticators that way.\n\n\u4f60\u5728\u5de5\u4f5c\u7ad9\u5750\u4e0b\u5e76\u4f7f\u7528 kinit \u7a0b\u5e8f\u83b7\u53d6\u4f60\u7684\u7968\u8bc1\u6388\u4e88\u7968\u8bc1\u3002 Kinit\u8be2\u95ee\u4f60\u7684\u7528\u6237\u540d\uff0c\u8f93\u5165\u540e\uff0ckinit\u5c06\u540d\u79f0\u8f6c\u53d1\u7ed9 Charon\u3002\nYou sit down at a workstation and use the kinit program to get your ticket-granting ticket. Kinit asks for your username, and after you enter it, kinit forwards the name to Charon.\n\nCharon \u4f7f\u7528\u4f60\u7684\u540d\u5b57\u6765\u67e5\u627e\u4f60\u7684\u5bc6\u7801\uff0c\u7136\u540e\u7ee7\u7eed\u4e3a\u4f60\u6784\u5efa\u4e00\u4e2a\u6388\u4e88\u7968\u8bc1\u7684\u7968\u8bc1\u3002\u4f5c\u4e3a\u6b64\u8fc7\u7a0b\u7684\u4e00\u90e8\u5206\uff0cCharon \u521b\u5efa\u4e00\u4e2a\u4f1a\u8bdd\u5bc6\u94a5\uff0c\u4f60\u5c06\u4e0e\u7968\u8bc1\u6388\u4e88\u670d\u52a1\u5171\u4eab\u8be5\u5bc6\u94a5\u3002Charon \u5c06\u4f1a\u8bdd\u5bc6\u94a5\u7684\u526f\u672c\u653e\u5165\u6388\u4e88\u7968\u8bc1\u7684\u7968\u8bc1\u4e2d\uff0c\u5e76\u5c06\u4f60\u7684\u526f\u672c\u653e\u5165\u4f60\u5373\u5c06\u6536\u5230\u7684\u7968\u8bc1\u5305\u4e2d\u3002\u4f46\u662f\u5728\u5b83\u5411\u4f60\u53d1\u9001\u8fd9\u4e2a\u6570\u636e\u5305\u4e4b\u524d\uff0cCharon \u4f1a\u7528\u4f60\u7684\u5bc6\u7801\u5bf9\u6574\u4e2a\u6570\u636e\u8fdb\u884c\u52a0\u5bc6\u3002\nCharon uses your name to look up your password, then proceeds to build a ticket-granting ticket for you. As part of this process, Charon creates a session key that you will share with the ticket-granting service. Charon puts a copy of the session key in the ticket-granting ticket, and puts your copy in the the ticket packet that you are about to receive. But before it sends you this packet, Charon encrypts the whole thing with your password.\n\nCharon \u901a\u8fc7\u7f51\u7edc\u53d1\u9001\u6570\u636e\u5305\u3002\u6709\u4eba\u53ef\u4ee5\u5728\u6570\u636e\u5305\u7ecf\u8fc7\u65f6\u590d\u5236\u5b83\uff0c\u4f46\u4ed6\u4eec\u4e0d\u80fd\u5bf9\u5b83\u505a\u4efb\u4f55\u4e8b\u60c5\uff0c\u56e0\u4e3a\u5b83\u5df2\u7ecf\u7528\u4f60\u7684\u5bc6\u7801\u52a0\u5bc6\u4e86\u3002\u5177\u4f53\u6765\u8bf4\uff0c\u6ca1\u6709\u4eba\u53ef\u4ee5\u7a83\u53d6\u6388\u4e88\u7968\u8bc1\u7684\u4f1a\u8bdd\u5bc6\u94a5\u3002\nCharon sends the packet across the network. Someone can copy the packet as it goes by, but they can't do anything with it because it has been encrypted with your password. Specifically, no one can steal the ticket-granting session key.\n\nKinit \u6536\u5230\u7968\u8bc1\u5305\u5e76\u63d0\u793a\u4f60\u8f93\u5165\u5bc6\u7801\u3002\u5982\u679c\u4f60\u8f93\u5165\u6b63\u786e\u7684\u5bc6\u7801\uff0c kinit\u53ef\u4ee5\u89e3\u5bc6\u6570\u636e\u5305\u5e76\u4e3a\u4f60\u63d0\u4f9b\u4f1a\u8bdd\u5bc6\u94a5\u7684\u526f\u672c\u3002\nKinit receives the ticket packet and prompts you for a password, which you enter. If you enter the correct password, kinit can decrypt the packet and give you your copy of the session key.\n\n\u73b0\u5728\u4f60\u5df2\u7ecf\u5b8c\u6210\u4e86 kinit \u4e1a\u52a1\uff0c\u90a3\u4e48\u4f60\u60f3\u8981\u83b7\u53d6\u4f60\u7684\u90ae\u4ef6\uff0c\u4f60\u542f\u52a8\u90ae\u4ef6\u5ba2\u6237\u7aef\u7a0b\u5e8f\u3002\u8be5\u7a0b\u5e8f\u67e5\u627e\u90ae\u4ef6\u670d\u52a1\u7968\uff0c\u4f46\u6ca1\u6709\u627e\u5230\uff08\u6bd5\u7adf\uff0c\u4f60\u8fd8\u6ca1\u6709\u5c1d\u8bd5\u83b7\u53d6\u90ae\u4ef6\uff09\u3002\u5ba2\u6237\u7aef\u5fc5\u987b\u4f7f\u7528\u6388\u4e88\u7968\u8bc1\u7684\u7968\u8bc1\u5411\u7968\u8bc1\u6388\u4e88\u670d\u52a1\u8bf7\u6c42\u90ae\u4ef6\u670d\u52a1\u7968\u8bc1\u3002\nNow that you've taken care of the kinit business, you want to get your mail. You start the mail client program. This program looks for a mail service ticket and doesn't find one (after all, you haven't tried to get your mail yet). The client must use the ticket-granting ticket to ask the ticket-granting service for a mail service ticket.\n\n\u5ba2\u6237\u7aef\u4e3a\u6388\u4e88\u7968\u8bc1\u7684\u4ea4\u6613\u6784\u5efa\u4e00\u4e2a\u8eab\u4efd\u9a8c\u8bc1\u5668\uff0c\u5e76\u4f7f\u7528\u4f60\u7684\u6388\u4e88\u7968\u8bc1\u4f1a\u8bdd\u5bc6\u94a5\u7684\u526f\u672c\u52a0\u5bc6\u8be5\u8eab\u4efd\u9a8c\u8bc1\u5668\u3002\u7136\u540e\u5ba2\u6237\u7aef\u5411 Charon \u53d1\u9001\u8eab\u4efd\u9a8c\u8bc1\u5668\u3001\u6388\u4e88\u7968\u8bc1\u7684\u7968\u8bc1\u3001\u4f60\u7684\u59d3\u540d\u3001\u4f60\u7684\u5de5\u4f5c\u7ad9\u5730\u5740\u548c\u90ae\u4ef6\u670d\u52a1\u7684\u540d\u79f0\u3002\nThe client builds an authenticator for the ticket-granting transaction and encrypts the authenticator with your copy of the ticket-granting session key. The client then sends Charon the authenticator, the ticket-granting ticket, your name, your workstation's address, and the name of the mail service.\n\n\u7968\u8bc1\u6388\u4e88\u670d\u52a1\u63a5\u6536\u8fd9\u4e9b\u5185\u5bb9\u5e76\u8fd0\u884c\u8eab\u4efd\u9a8c\u8bc1\u68c0\u67e5\u3002\u5982\u679c\u4e00\u5207\u68c0\u67e5\u6b63\u786e\uff0c\u7968\u8bc1\u6388\u4e88\u670d\u52a1\u6700\u7ec8\u4f1a\u5f97\u5230\u4e00\u4efd\u4e0e\u4f60\u5171\u4eab\u7684\u4f1a\u8bdd\u5bc6\u94a5\u7684\u526f\u672c\u3002\u73b0\u5728\u7968\u8bc1\u6388\u4e88\u670d\u52a1\u4e3a\u4f60\u6784\u5efa\u4e00\u4e2a\u90ae\u4ef6\u670d\u52a1\u7968\u8bc1\uff0c\u5e76\u5728\u6b64\u8fc7\u7a0b\u4e2d\u521b\u5efa\u4e00\u4e2a\u65b0\u7684\u4f1a\u8bdd\u5bc6\u94a5\u4f9b\u4f60\u4e0e\u90ae\u4ef6\u670d\u52a1\u5171\u4eab\u3002\nThe ticket-granting service receives this stuff and runs through the authentication checks. If everything checks properly, the ticket-granting service ends up with a copy of the session key that it shares with you. Now the ticket-granting service builds you a mail service ticket, and during this process, creates a new session key for you to share with the mail service.\n\n\u7968\u8bc1\u6388\u4e88\u670d\u52a1\u73b0\u5728\u51c6\u5907\u4e00\u4e2a\u7968\u8bc1\u5305\u4ee5\u53d1\u9001\u56de\u4f60\u7684\u5de5\u4f5c\u7ad9\u3002\u8be5\u6570\u636e\u5305\u5305\u542b\u7968\u8bc1\u548c\u4f60\u7684\u90ae\u4ef6\u670d\u52a1\u4f1a\u8bdd\u5bc6\u94a5\u526f\u672c\u3002\u4f46\u5728\u53d1\u9001\u6570\u636e\u5305\u4e4b\u524d\uff0c\u7968\u8bc1\u6388\u4e88\u670d\u52a1\u4f1a\u4f7f\u7528\u5176 TICKET-GRANTING \u4f1a\u8bdd\u5bc6\u94a5\u7684\u526f\u672c\u5bf9\u6570\u636e\u5305\u8fdb\u884c\u52a0\u5bc6\u3002\u5b8c\u6210\u540e\uff0c\u6570\u636e\u5305\u5c06\u5728\u9014\u4e2d\u53d1\u9001\u3002\nThe ticket-granting service now prepares a ticket packet to send back to your workstation. The packet contains the ticket and your copy of the mail service session key. But before it sends the packet, the ticket-granting service encrypts the packet with its copy of the TICKET-GRANTING session key. That done, the packet is sent on its way.\n\n\u6240\u4ee5\u8fd9\u91cc\u662f\u90ae\u4ef6\u670d\u52a1\u7968\u5305\uff0c\u5728\u7f51\u7edc\u4e0a\u5faa\u73af\u3002\u5047\u8bbe\u4e00\u4e9b\u7f51\u7edc\u98df\u4eba\u9b54\u5728\u5b83\u7ecf\u8fc7\u65f6\u590d\u5236\u5b83\u3002\u98df\u4eba\u9b54\u5f88\u4e0d\u8d70\u8fd0\uff0c\u56e0\u4e3a\u6570\u636e\u5305\u662f\u7528\u6388\u4e88\u7968\u8bc1\u7684\u4f1a\u8bdd\u5bc6\u94a5\u52a0\u5bc6\u7684\uff1b\u4f60\u548c\u7968\u8bc1\u6388\u4e88\u670d\u52a1\u662f\u552f\u4e00\u77e5\u9053\u6b64\u5bc6\u94a5\u7684\u5b9e\u4f53\u3002\u7531\u4e8e\u98df\u4eba\u9b54\u65e0\u6cd5\u89e3\u5bc6\u90ae\u4ef6\u7968\u5305\uff0c\u98df\u4eba\u9b54\u65e0\u6cd5\u53d1\u73b0 MAIL SESSION KEY\u3002\u5982\u679c\u6ca1\u6709\u8fd9\u4e2a\u4f1a\u8bdd\u5bc6\u94a5\uff0c\u98df\u4eba\u9b54\u5c31\u65e0\u6cd5\u4f7f\u7528\u4f60\u968f\u540e\u53ef\u80fd\u901a\u8fc7\u7f51\u7edc\u53d1\u9001\u7684\u4efb\u4f55\u90ae\u4ef6\u670d\u52a1\u7968\u8bc1\u3002\nSo here comes the mail service ticket packet, loping across the network. Suppose some network ogre copies it as it goes by. The ogre is out of luck because the packet is encrypted with the ticket-granting session key; you and the ticket-granting service are the only entities that know this key. Since the ogre cannot decrypt the mail ticket packet, the ogre cannot discover the MAIL SESSION KEY. Without this session key, the ogre cannot use any of the mail service tickets you might subsequently send across the network.\n\n\u6240\u4ee5\u6211\u8ba4\u4e3a\u6211\u4eec\u662f\u5b89\u5168\u7684\u3002\u4f60\u600e\u4e48\u770b\uff1f\nSo I think we're safe. What do you think?\n\nEuripides: \u4e5f\u8bb8\u5427\u3002Perhaps.\n\nAthena: \u4e5f\u8bb8\uff01\u4f60\u80fd\u8bf4\u7684\u5c31\u8fd9\u4e9b\u5417\uff01 Perhaps! Is that all you can say!\nEuripides: \uff08\u7b11\uff09\u522b\u751f\u6c14\u3002\u4f60\u73b0\u5728\u5e94\u8be5\u77e5\u9053\u6211\u7684\u65b9\u6cd5\u4e86\u3002\u6211\u60f3\u8fd9\u5bf9\u6211\u6765\u8bf4\u5f88\u5351\u9119\uff0c\u800c\u4f60\u5374\u71ac\u4e86\u534a\u591c\u3002 (laughing) Don't get upset. You should know my ways by now. I guess it is mean of me, and you up half the night.\n\nAthena: \u6c14\u547c\u547c\u7684\uff01 Pthhhhh!\nEuripides: \u597d\u5427\uff0c\u5df2\u7ecf\u89e3\u51b33\/4\u4e86\u3002\u5b9e\u9645\u4e0a\uff0c\u8be5\u7cfb\u7edf\u5f00\u59cb\u542c\u8d77\u6765\u53ef\u4ee5\u63a5\u53d7\u3002\u8fd9\u4e2a\u4f1a\u8bdd\u5bc6\u94a5\u4e1a\u52a1\u89e3\u51b3\u4e86\u6211\u6628\u665a\u60f3\u5230\u7684\u4e00\u4e2a\u95ee\u9898\uff1a\u76f8\u4e92\u8ba4\u8bc1\u7684\u95ee\u9898\u3002 All right, three-quarters of the night. Actually, the system is beginning to sound acceptible. This session key business solves a problem that I thought of last night: the problem of mutual authentication.\n\n\u987f\u4e86\u987f\u3002 Pause.\n\u4ecb\u610f\u6211\u591a\u8bf4\u4e00\u5206\u949f\u5417\uff1f Mind if I talk for a minute?\nAthena: (A trifle coldly) Be my guest.\nEuripides: \n\n\u4f60\u771f\u597d\u3002\uff08Euripides \u6e05\u4e86\u6e05\u55d3\u5b50\u3002\uff09\u6628\u665a\uff0c\u5f53\u4f1a\u8bdd\u5bc6\u94a5\u548c\u8eab\u4efd\u9a8c\u8bc1\u5668\u7684\u5e7b\u8c61\u5728\u4f60\u7684\u8111\u6d77\u4e2d\u7fe9\u7fe9\u8d77\u821e\u65f6\uff0c\u6211\u8bd5\u56fe\u627e\u51fa\u7cfb\u7edf\u7684\u65b0\u95ee\u9898\uff0c\u6211\u53d1\u73b0\u4e86\u4e00\u4e2a\u6211\u8ba4\u4e3a\u975e\u5e38\u4e25\u91cd\u7684\u95ee\u9898\u3002\u6211\u5c06\u901a\u8fc7\u4ee5\u4e0b\u573a\u666f\u8fdb\u884c\u8bf4\u660e\u3002\nYou are so kind. (Euripides clears his throat.) Last night, while visions of session keys and authenticators danced in your head, I was trying to find new problems with the system, and I found one that I thought was pretty serious. I'll illustrate it by way of the following scenario.\n\n\u5047\u8bbe\u4f60\u538c\u5026\u4e86\u5f53\u524d\u7684\u5de5\u4f5c\uff0c\u5e76\u786e\u5b9a\u79bb\u804c\u624d\u7b26\u5408\u4f60\u7684\u6700\u5927\u5229\u76ca\u3002\u4f60\u60f3\u5728\u516c\u53f8\u7684 wizz-bang \u6fc0\u5149\u6253\u5370\u673a\u4e0a\u6253\u5370\u4f60\u7684\u7b80\u5386\uff0c\u4ee5\u4fbf\u730e\u5934\u548c\u6f5c\u5728\u96c7\u4e3b\u66f4\u5bb9\u6613\u6ce8\u610f\u5230\u4f60\u3002\nSuppose you are sick of your current job and have determined that it is in your best interest to move on. You want to print your resume on the company's wizz-bang laser printer so that headhunters and potential employers can take note of your classiness.\n\n\u56e0\u6b64\uff0c\u4f60\u8f93\u5165\u6253\u5370\u547d\u4ee4\uff0c\u5e76\u6307\u793a\u5b83\u5c06\u7b80\u5386\u53d1\u9001\u5230\u76f8\u5e94\u7684\u6253\u5370\u670d\u52a1\u5668\u3002\u8be5\u547d\u4ee4\u5c06\u83b7\u53d6\u5230\u6b63\u786e\u7684\u670d\u52a1\u7968\u8bc1\uff08\u5982\u679c\u4e4b\u524d\u8fd8\u6ca1\u6709\u7684\u8bdd\uff09\uff0c\u7136\u540e\u5c06\u4f60\u7684\u540d\u5b57\u7684\u7968\u53d1\u9001\u5230\u76f8\u5e94\u7684\u6253\u5370\u670d\u52a1\u5668\u3002\u81f3\u5c11\u90a3\u662f\u4f60\u8ba4\u4e3a\u7684\u65b9\u5411\u3002\u4f60\u5b9e\u9645\u4e0a\u5e76\u4e0d\u77e5\u9053\u8bf7\u6c42\u662f\u53d1\u5f80\u6b63\u786e\u7684\u6253\u5370\u670d\u52a1\u5668\u7684\u3002\nSo you enter the printing command, and direct it to send the resume to the appropriate print server. The command gets the proper service ticket, if you don't already have it, then sends the ticket in your name to the appropriate print server. At least that's where you think it's headed. You don't in fact know that the request is headed for the right print server.\n\n\u5047\u8bbe\u67d0\u4e2a\u4e0d\u9053\u5fb7\u7684\u9ed1\u5ba2\u2014\u2014\u6bd4\u5982\u4f60\u7684\u8001\u677f\u2014\u2014\u641e\u5b9a\u4e86\u7cfb\u7edf\uff0c\u4ee5\u4fbf\u4ed6\u5c06\u4f60\u7684\u8bf7\u6c42\u548c\u5b83\u7684\u7968\u91cd\u5b9a\u5411\u5230\u4ed6\u529e\u516c\u5ba4\u7684\u6253\u5370\u670d\u52a1\u5668\u3002\u4ed6\u7684\u6253\u5370\u670d\u52a1\u7a0b\u5e8f\u4e0d\u5173\u5fc3\u7968\u6216\u5176\u5185\u5bb9\u3002\u5b83\u4f1a\u4e22\u5f03\u7968\u636e\u5e76\u5411\u4f60\u7684\u5de5\u4f5c\u7ad9\u53d1\u9001\u4e00\u6761\u6d88\u606f\uff0c\u8868\u660e\u7968\u636e\u901a\u8fc7\u4e86\u96c6\u5408\uff0c\u5e76\u4e14\u670d\u52a1\u5668\u5df2\u51c6\u5907\u597d\u5e76\u613f\u610f\u6253\u5370\u4f60\u7684\u5de5\u4f5c\u3002\u6253\u5370\u547d\u4ee4\u5c06\u4f5c\u4e1a\u53d1\u9001\u5230\u6b3a\u8bc8\u6027\u6253\u5370\u670d\u52a1\u5668\uff0c\u800c\u654c\u4eba\u6700\u7ec8\u4f1a\u5f97\u5230\u4f60\u7684\u7b80\u5386\u3002\nSuppose that some unscrupulous hacker--say it's your boss--has screwed system around so that he redirects your request and its ticket to the print server in his office. His print service program doesn't care about the ticket or its contents. It throws away the ticket and sends a message to your workstation indicating that the ticket passed muster, and that the server is ready and willing to print your job. The printing command sends the job to the fraudulant print server and the enemy ends up with your resume.\n\n\u6211\u5c06\u901a\u8fc7\u5bf9\u6bd4\u6765\u8bf4\u660e\u95ee\u9898\u3002\u5982\u679c\u6ca1\u6709\u4f1a\u8bdd\u5bc6\u94a5\u548c\u8eab\u4efd\u9a8c\u8bc1\u5668\uff0cCharon \u53ef\u4ee5\u4fdd\u62a4\u5176\u670d\u52a1\u5668\u514d\u53d7\u865a\u5047\u7528\u6237\u7684\u4fb5\u5bb3\uff0c\u4f46\u5b83\u65e0\u6cd5\u4fdd\u62a4\u5176\u7528\u6237\u514d\u53d7\u865a\u5047\u670d\u52a1\u5668\u7684\u4fb5\u5bb3\u3002\u7cfb\u7edf\u9700\u8981\u4e00\u79cd\u65b9\u6cd5\u8ba9\u5ba2\u6237\u7aef\u7a0b\u5e8f\u5728\u5411\u670d\u52a1\u53d1\u9001\u654f\u611f\u4fe1\u606f\u4e4b\u524d\u5bf9\u670d\u52a1\u5668\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u3002\u7cfb\u7edf\u5fc5\u987b\u5141\u8bb8\u76f8\u4e92\u9a8c\u8bc1\u3002\nI'll state the problem by way of contrast. Without session keys and authenticators, Charon can protect its servers from false users, but it cannot protect its users from false servers. The system needs a way for client programs to authenticate the server before sending sensitive information to the service. The system must allow for mutual authentication.\n\n\u4f46\u662f\u53ea\u8981\u4f60\u6b63\u786e\u8bbe\u8ba1\u5ba2\u6237\u7aef\u7a0b\u5e8f\uff0c\u4f1a\u8bdd\u5bc6\u94a5\u5c31\u53ef\u4ee5\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u3002\u56de\u5230\u6253\u5370\u670d\u52a1\u5668\u573a\u666f\u3002\u6211\u60f3\u8981\u4e00\u4e2a\u6253\u5370\u5ba2\u6237\u7aef\u7a0b\u5e8f\uff0c\u4ee5\u786e\u4fdd\u5b83\u53d1\u9001\u4f5c\u4e1a\u7684\u670d\u52a1\u662f\u5408\u6cd5\u670d\u52a1\u3002\nBut the session key solves this problem as long as you design your client programs properly. Back to the print server scenario. I want a print client program that makes sure the service it's sending jobs to is the legitimate service.\n\n\u8fd9\u5c31\u662f\u8fd9\u6837\u4e00\u4e2a\u7a0b\u5e8f\u7684\u4f5c\u7528\u3002\u6211\u8f93\u5165\u6253\u5370\u547d\u4ee4\u5e76\u7ed9\u5b83\u4e00\u4e2a\u6587\u4ef6\u540d\uff0c\u5373\u6211\u7684\u7b80\u5386\u7684\u540d\u79f0\u3002\u5047\u8bbe\u6211\u6709\u4e00\u4e2a\u6253\u5370\u670d\u52a1\u7968\u548c\u4f1a\u8bdd\u5bc6\u94a5\u3002\u5ba2\u6237\u7aef\u7a0b\u5e8f\u4f7f\u7528\u4f1a\u8bdd\u5bc6\u94a5\u6765\u6784\u5efa\u9a8c\u8bc1\u5668\uff0c\u7136\u540e\u5c06\u9a8c\u8bc1\u5668\u548c\u7968\u8bc1\u53d1\u9001\u5230\u201c\u5047\u5b9a\u7684\u201d\u6253\u5370\u670d\u52a1\u5668\u3002\u5ba2\u6237\u5c1a\u672a\u53d1\u9001\u7b80\u5386\uff1b\u5b83\u7b49\u5f85\u670d\u52a1\u7684\u54cd\u5e94\u3002\nHere's what such a program does. I enter the printing command and give it a filename, the name of my resume. Assume that I have a print service ticket and session key. The client program uses the session key to build an authenticator, then sends the authenticator and ticket to the \"supposed\" print server. The client DOES NOT send the resume yet; it waits for a response from the service.\n\n\u771f\u5b9e\u670d\u52a1\u63a5\u6536\u7968\u8bc1\u548c\u9a8c\u8bc1\u5668\uff0c\u89e3\u5bc6\u7968\u8bc1\u5e76\u63d0\u53d6\u4f1a\u8bdd\u5bc6\u94a5\uff0c\u7136\u540e\u4f7f\u7528\u4f1a\u8bdd\u5bc6\u94a5\u89e3\u5bc6\u9a8c\u8bc1\u5668\u3002\u5b8c\u6210\u540e\uff0c\u670d\u52a1\u8fd0\u884c\u6240\u6709\u9002\u5f53\u7684\u8eab\u4efd\u9a8c\u8bc1\u6d4b\u8bd5\u3002\nThe real service receives the ticket and authenticator, decrypts the ticket and extracts the session key, then uses the session key to decrypt the authenticator. This done, the service runs all the appropriate authentication tests.\n\n\u5047\u8bbe\u6d4b\u8bd5\u8bc1\u5b9e\u4e86\u6211\u7684\u8eab\u4efd\u3002\u73b0\u5728\u670d\u52a1\u5668\u51c6\u5907\u4e00\u4e2a\u56de\u590d\u5305\uff0c\u4ee5\u4fbf\u5b83\u53ef\u4ee5\u5411\u5ba2\u6237\u7aef\u7a0b\u5e8f\u8bc1\u660e\u5b83\u7684\u8eab\u4efd\u3002\u5b83\u4f7f\u7528\u5b83\u7684\u4f1a\u8bdd\u5bc6\u94a5\u526f\u672c\u6765\u52a0\u5bc6\u56de\u590d\u6570\u636e\u5305\uff0c\u7136\u540e\u5c06\u6570\u636e\u5305\u53d1\u9001\u7ed9\u7b49\u5f85\u7684\u5ba2\u6237\u7aef\u3002\nAssume the tests confirm my identity. Now the server prepares a reply packet so that it can prove its identity to the client program. It uses its copy of the session key to encrypt the reply packet, then sends the packet to the waiting client.\n\n\u5ba2\u6237\u7aef\u6536\u5230\u6570\u636e\u5305\u5e76\u5c1d\u8bd5\u4f7f\u7528\u6211\u7684\u4f1a\u8bdd\u5bc6\u94a5\u526f\u672c\u5bf9\u5176\u8fdb\u884c\u89e3\u5bc6\u3002\u5982\u679c\u6570\u636e\u5305\u6b63\u786e\u89e3\u5bc6\u5e76\u4ea7\u751f\u6b63\u786e\u7684\u670d\u52a1\u5668\u54cd\u5e94\u6d88\u606f\uff0c\u6211\u7684\u5ba2\u6237\u7aef\u7a0b\u5e8f\u5c31\u77e5\u9053\u52a0\u5bc6\u6570\u636e\u5305\u7684\u670d\u52a1\u5668\u662f\u771f\u6b63\u7684\u670d\u52a1\u5668\u3002\u73b0\u5728\u5ba2\u6237\u7aef\u5c06\u6062\u590d\u4f5c\u4e1a\u53d1\u9001\u5230\u6253\u5370\u670d\u52a1\u3002\nThe client receives the packet and attempts to decrypt it with my copy of the session key. If the packet decrypts properly and yields the correct server response message, my client program knows that the server that encrypted the packet is the real server. Now the client sends the resume job to the print service.\n\n\u5047\u8bbe\u6211\u7684\u8001\u677f\u641e\u5b9a\u4e86\u7cfb\u7edf\uff0c\u8ba9\u4ed6\u7684\u6253\u5370\u670d\u52a1\u5668\u6210\u4e3a\u6211\u60f3\u8981\u7684\u90a3\u4e2a\u3002\u6211\u7684\u5ba2\u6237\u7aef\u5c06\u8eab\u4efd\u9a8c\u8bc1\u5668\u548c\u7968\u8bc1\u53d1\u9001\u5230\u201c\u6253\u5370\u670d\u52a1\u201d\u5e76\u7b49\u5f85\u54cd\u5e94\u3002\u4f2a\u9020\u7684\u6253\u5370\u670d\u52a1\u65e0\u6cd5\u751f\u6210\u6b63\u786e\u7684\u54cd\u5e94\uff0c\u56e0\u4e3a\u5b83\u65e0\u6cd5\u89e3\u5bc6\u7968\u8bc1\u5e76\u83b7\u53d6\u4f1a\u8bdd\u5bc6\u94a5\u3002\u9664\u975e\u6536\u5230\u6b63\u786e\u7684\u54cd\u5e94\uff0c\u5426\u5219\u6211\u7684\u5ba2\u6237\u4e0d\u4f1a\u53d1\u9001\u4f5c\u4e1a\u3002\u6700\u7ec8\u5ba2\u6237\u7aef\u653e\u5f03\u7b49\u5f85\u5e76\u9000\u51fa\u3002\u6211\u7684\u6253\u5370\u5de5\u4f5c\u6ca1\u6709\u5b8c\u6210\uff0c\u4f46\u81f3\u5c11\u6211\u7684\u7b80\u5386\u6ca1\u6709\u843d\u5230\u654c\u4eba\u7684\u529e\u516c\u684c\u4e0a\u3002\nSuppose my boss screwed around the system so that his print server poses as the one I want. My client sends the authenticator and ticket to the \"print service\" and waits for a response. The fake print service cannot generate the correct response because it cannot decrypt the ticket and get the session key. My client will not send the job unless it receives the correct response. Eventually the client gives up waiting and exits. My print job does not get completed, but at least my resume did not end up on the desk of the enemy.\n\n\u4f60\u77e5\u9053\uff0c\u6211\u8ba4\u4e3a\u6211\u4eec\u6709\u4e00\u4e2a\u575a\u5b9e\u7684\u57fa\u7840\u6765\u5b9e\u65bd Charon \u8ba4\u8bc1\u7cfb\u7edf\u3002\nYou know, I think we have a solid basis on which to implement the Charon Authentication System.\n\nAthena: \u4e5f\u8bb8\u5427\uff0c\u53ea\u662f\u6211\u4e0d\u559c\u6b22\u201cCharon\u201d\u8fd9\u4e2a\u540d\u5b57\u3002 Perhaps. Anyway, I don't like the name \"Charon.\"\nEuripides: \u4ece\u4ec0\u4e48\u65f6\u5019\u5f00\u59cb\u4e0d\u559c\u6b22\u7684\u5462\uff1f You don't? Since when?\n\nAthena: \u6211\u4ece\u6765\u5c31\u6ca1\u559c\u6b22\u8fc7\uff08\u8fd9\u4e2a\u540d\u5b57\uff09\uff0c\u56e0\u4e3a\u5b83\u6ca1\u6709\u4efb\u4f55\u542b\u4e49\u3002\u6211\u6628\u5929\u548c\u6211\u53d4\u53d4 Hades \u8c08\u8d77\u4e86\u8fd9\u4ef6\u4e8b\uff0c\u4ed6\u5efa\u8bae\u4e86\u53e6\u4e00\u4e2a\u540d\u5b57\uff0c\u4ed6\u7684\u4e09\u5934\u770b\u95e8\u72d7\u7684\u540d\u5b57\u3002 I've never liked it, because the name doesn't make sense. I was talking to my Uncle Hades about it the other day, and he suggested another name, the name of his three-headed watch dog.\nEuripides: \u54e6\uff0c\u4f60\u7684\u610f\u601d\u662f\u201c\u5730\u72f1\u72ac-Cerberus\u201d\u3002 Oh, you mean \"Cerberus.\"\n\nAthena: \u54ac\u4f60\u7684\u820c\u5934 \u6495\uff01\u786e\u5b9e\u662f\u201c\u5730\u72f1\u72ac\u201d\uff0c\u4f46\u4e0d\u662f\u8fd9\u4e2a\u540d\u5b57\u2026\u2026 Bite your tongue Rip! \"Cerberus\" indeed . . .\nEuripides: \u5443\uff0c\u4e0d\u662f\u8fd9\u4e2a\u540d\u5b57\u5417\uff1f Er, isn't that the name?\n\nAthena: \u662f\u7684\uff0c\u53ef\u80fd\u548c\u4f60\u78b0\u5de7\u662f\u7f57\u9a6c\u4eba\u6709\u5173\u3002\u6211\u662f\u5e0c\u814a\u4eba\uff0c\u5b83\u662f\u5e0c\u814a\u770b\u95e8\u72d7\uff0c\u4ed6\u7684\u540d\u5b57\u662f\u201cKerberos\u201d\uff0c\u201cKerberos\u201d\u5e26\u6709\u4e00\u4e2a K\u3002 Yeah, if you happen to be a Roman! I'm a Greek goddess, he's a Greek watch dog, and his name is \"Kerberos,\" \"Kerberos\" with a K.\nEuripides: \u597d\u5427\u597d\u5427\uff0c\u4e0d\u8981\u751f\u6c14\uff0c\u6211\u8ba4\u53ef\u8fd9\u4e2a\u540d\u5b57\u3002\u5b9e\u9645\u4e0a\u5b83\u7684\u610f\u4e49\u5f88\u597d\uff0c Charon \u518d\u89c1\uff0cKerberos \u4f60\u597d\u3002 Okay, okay, don't throw thunderbolts. I'll buy the name. Actually, it has a nice ring to it. Adios Charon and hello to Kerberos.\n\n\n# Afterword - \u540e\u8bb0\n\n\u8be5\u5bf9\u8bdd\u5199\u4e8e 1988 \u5e74\uff0c\u65e8\u5728\u5e2e\u52a9\u8bfb\u8005\u7406\u89e3 Kerberos V4 \u534f\u8bae\u4e3a\u4f55\u5982\u6b64\u7684\u6839\u672c\u539f\u56e0\u3002\u591a\u5e74\u6765\uff0c\u5b83\u4e3a\u8fd9\u9879\u5de5\u4f5c\u63d0\u4f9b\u4e86\u5f88\u597d\u7684\u670d\u52a1\u3002\nThe dialogue was written in 1988 to help its readers understand the fundamental reasons for why the Kerberos V4 protocol was the way it was. Over the years, it has served this job very well.\n\n\u5f53\u6211\u5c06\u6b64\u6587\u6863\u8f6c\u6362\u4e3a HTML \u683c\u5f0f\u65f6\uff0c\u6211\u5f88\u60ca\u8bb6\u8be5\u6587\u6863\u4e2d\u6709\u5982\u6b64\u591a\u7684\u5185\u5bb9\u4ecd\u7136\u9002\u7528\u4e8e Kerberos V5 \u534f\u8bae\u3002\u5c3d\u7ba1\u8bb8\u591a\u4e8b\u60c5\u53d1\u751f\u4e86\u53d8\u5316\uff0c\u4f46\u534f\u8bae\u7684\u57fa\u672c\u6838\u5fc3\u601d\u60f3\u4fdd\u6301\u4e0d\u53d8\u3002\u5b9e\u9645\u4e0a\uff0cKerberos V5 \u4e0e\u6b64\u5bf9\u8bdd\u4e2d\u5bf9\u201cKerberos\u201d\u534f\u8bae\u7684\u63cf\u8ff0\u53ea\u6709\u4e24\u4e2a\u4e0d\u540c\u4e4b\u5904\u3002\nWhen I converted this document to HTML, I was amazed how much of this document was still applicable for the Kerberos V5 protocol. Although many things were changed, the basic core ideas of the protocol have remained the same. Indeed, there are only two changes where Kerberos V5 differs from description of the \"Kerberos\" protocol in this dialoge.\n\n\u7b2c\u4e00\u4e2a\u53d8\u5316\u6e90\u4e8e\u8fd9\u6837\u4e00\u79cd\u8ba4\u8bc6\uff0c\u5373\u4f7f\u7528\u4e00\u4e2a\u5c0f\u7684 5 \u5206\u949f\u65f6\u95f4\u504f\u5dee\u4e0d\u8db3\u4ee5\u9632\u6b62\u6765\u81ea\u653b\u51fb\u8005\u7684\u91cd\u653e\u653b\u51fb\uff0c\u82e5\u653b\u51fb\u8005\u4f7f\u7528\u7a0b\u5e8f\u5728\u7f51\u7edc\u4e2d\u81ea\u52a8\u83b7\u53d6\u7968\u8bc1\u548c\u8eab\u4efd\u9a8c\u8bc1\u5668\uff0c\u7136\u540e\u7acb\u5373\u8ba9\u7a0b\u5e8f\u53d1\u52a8\u91cd\u653e\u653b\u51fb\u3002\nThe first change was born out of the recognition that using a small five minute time skew wasn't necessarily sufficient to prevent replay attacks from an attacker who used a program to automatically grab the ticket and the authenticator as they traversed the network, and then immediately resent them to launch a replay attack.\n\n\u5728 Kerberos V5 \u4e2d\uff0c\u901a\u8fc7\u8ba9\u63a5\u53d7\u7968\u8bc1\u7684\u670d\u52a1\u5668\u62e5\u6709\u4e00\u4e2a\u201c\u91cd\u653e\u7f13\u5b58\u201d\u6765\u8bb0\u5f55\u6700\u8fd1\u5df2\u5411\u670d\u52a1\u5668\u63d0\u4f9b\u7684\u8eab\u4efd\u9a8c\u8bc1\u5668\uff0c\u4ece\u800c\u4f7f\u8eab\u4efd\u9a8c\u8bc1\u5668\u771f\u6b63\u201c\u4e00\u6b21\u6027\u201d\u3002\u5982\u679c\u653b\u51fb\u8005\u8bd5\u56fe\u62a2\u593a\u9a8c\u8bc1\u5668\u5e76\u91cd\u65b0\u4f7f\u7528\u5b83\uff0c\u5373\u4f7f\u5728\u4e94\u5206\u949f\u7684\u63a5\u53d7\u7a97\u53e3\u671f\u95f4\uff0c\u91cd\u653e\u7f13\u5b58\u4e5f\u5c06\u80fd\u591f\u786e\u5b9a\u9a8c\u8bc1\u5668\u5df2\u88ab\u63d0\u4ea4\u7ed9\u670d\u52a1\u5668\u3002\nIn Kerberos V5, authenticators are made to be truly \"once-only\" by having servers which accept tickets to have a \"replay cache\" which keeps note of authenticators have been presented to the server recently. If an attacker tries to snatch an authenticator and reuse it, even during the five-minute acceptance window, the replay cache will be able to determine that the authenticator has already been presented to the server.\n\n\u8be5\u534f\u8bae\u7684\u7b2c\u4e8c\u4e2a\u4e3b\u8981\u53d8\u5316\u662f\uff0c\u5728\u521d\u59cb\u7968\u8bc1\u4ea4\u6362\u671f\u95f4\uff0c\u5f53\u7968\u8bc1\u4ece Kerberos \u670d\u52a1\u5668\u53d1\u9001\u5230kinit\u65f6\uff0c\u7968\u8bc1\u4e0d\u518d\u7528\u7528\u6237\u5bc6\u7801\u4e2d\u52a0\u5bc6\u3002\u7968\u8bc1\u5df2\u7528\u7968\u8bc1\u6388\u4e88\u670d\u52a1\u5668\u7684\u5bc6\u94a5\u8fdb\u884c\u52a0\u5bc6\uff1b\u6b64\u5916\uff0c\u5f53\u5b83\u5b9e\u9645\u7528\u4e8e\u83b7\u53d6\u5176\u4ed6\u7968\u8bc1\u65f6\uff0c\u65e0\u8bba\u5982\u4f55\u5b83\u90fd\u4f1a\u4ee5\u660e\u6587\u5f62\u5f0f\u5728\u7f51\u7edc\u4e2d\u53d1\u9001\u3002\u56e0\u6b64\uff0c\u6ca1\u6709\u7406\u7531\u7528\u7528\u6237\u5bc6\u7801\u4e2d\u518d\u6b21\u52a0\u5bc6\u7968\u8bc1\u3002\uff08\u5f53\u7136\uff0cKerberos \u670d\u52a1\u5668\u5bf9\u7528\u6237\u7684\u5176\u4f59\u56de\u590d\uff0c\u4f8b\u5982\u5305\u542b\u7528\u6237\u7684\u7968\u8bc1\u4f1a\u8bdd\u5bc6\u94a5\u526f\u672c\uff0c\u4ecd\u7136\u7528\u7528\u6237\u5bc6\u7801\u4e2d\u52a0\u5bc6\u3002\uff09\nThe second major change to the protocol is that the ticket is no longer encrypted in the user's password when it is sent from the Kerberos server to kinit during the initial ticket exchange. The ticket is already encrypted in the ticket granting server's secret key; furthermore when it is actually used to obtain other tickets, it gets sent in the network in the clear anyway. Hence, there is no reason why the ticket should be encrypted again in the user's password. (The rest of the Kerberos server's reply to the user, containing for example the user's copy of the ticket session key, is still encrypted in the user's password, of course.)\n\n\u7968\u8bc1\u6388\u4e88\u670d\u52a1 (TGS) \u534f\u8bae\u4e5f\u8fdb\u884c\u4e86\u7c7b\u4f3c\u7684\u66f4\u6539\uff1bTGS \u8fd4\u56de\u7684\u7968\u8bc1\u4e5f\u4e0d\u518d\u7531\u6388\u4e88\u7968\u8bc1\u7684\u7968\u8bc1\u7684\u670d\u52a1\u5bc6\u94a5\u52a0\u5bc6\uff0c\u56e0\u4e3a\u5e94\u7528\u7a0b\u5e8f\u7968\u8bc1\u5df2\u7531\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u7684\u5bc6\u94a5\u52a0\u5bc6\u3002\u4f8b\u5982\uff0cKerberos V4 \u4e2d\u7684\u6570\u636e\u5305\u770b\u8d77\u6765\u50cf\u8fd9\u6837\uff1a\nA similar change was also made to the ticket granting service (TGS) protocol; tickets returned by TGS are also no longer encrypted by the ticket-granting ticket's service key, since application tickets are already encrypted by the application server's secret key. So for example, the packet that in Kerberos V4 which would have looked like this:\n\n KDC_REPLY = {TICKET, client, server, K_session}K_user\n\n\u5176\u4e2d\u201c {X}K_Y \u201d\u8bfb\u4f5c\u201c\u4f7f\u7528\u5bc6\u94a5 K_Y \u52a0\u5bc6\u7684 X\u201d\uff0c\u5e76\u4e14\nwhere \"{X}K_Y\" is read \"X encrypted using key K_Y\" and\n TICKET = {client, server, start_time, lifetime, K_session}K_server\n\n\u5728 Kerberos V5 \u4e2d\uff0cKDC_REPLY \u73b0\u5728\u770b\u8d77\u6765\u50cf\u8fd9\u6837\uff1a\nIn Kerberos V5, the KDC_REPLY now would look like this:\n KDC_REPLY = TICKET, {client, server, K_session}K_user\n\n\u5f53\u7136\uff0cKerberos V5 \u4e2d\u4e5f\u6709\u8bb8\u591a\u65b0\u529f\u80fd\u3002\u7528\u6237\u73b0\u5728\u53ef\u4ee5\u5b89\u5168\u5730\u8f6c\u53d1\u4ed6\u4eec\u7684\u7968\u8bc1\uff0c\u4ee5\u4fbf\u4ed6\u4eec\u53ef\u4ee5\u5728\u53e6\u4e00\u4e2a\u7f51\u7edc\u4f4d\u7f6e\u4f7f\u7528\uff1b\u6b64\u5916\uff0c\u7528\u6237\u8fd8\u53ef\u4ee5\u5c06\u5176\u6388\u6743\u6743\u9650\u7684\u5b50\u96c6\u59d4\u6258\u7ed9\u670d\u52a1\u5668\uff0c\u4ee5\u4fbf\u670d\u52a1\u5668\u53ef\u4ee5\u4ee3\u8868\u7528\u6237\u5145\u5f53\u4ee3\u7406\u3002\u5176\u4ed6\u65b0\u529f\u80fd\u5305\u62ec\u7528\u66f4\u5b89\u5168\u7684\u52a0\u5bc6\u7b97\u6cd5\uff08\u4f8b\u5982\u4e09\u91cd DES\uff09\u66ff\u6362 DES \u7684\u80fd\u529b\u3002\u6b22\u8fce\u5bf9 Kerberos V4 \u548c V5 \u4e4b\u95f4\u7684\u66f4\u591a\u53d8\u5316\u611f\u5174\u8da3\u7684\u8bfb\u8005\u9605\u8bfb\u7531Cliff Neumann\u548c Theodore Ts'o\u64b0\u5199\u7684 The Evolution of the Kerberos Authentication System\u3002\nOf course, there are many new features in Kerberos V5 as well. Users can now securely forward their tickets so that they can be used at another network location; in addition, users may also delagate a subset of their authorization rights to a server, so that the server can act as a proxy on behalf of a user. Other new features include the ability to replace DES with a more secure cryptographic algorithm, such as triple-DES. Readers who are interested in more of the changes between Kerberos V4 and V5 are invited to read The Evolution of the Kerberos Authentication System, which was authored by Cliff Neumann and Theodore Ts'o.\n\n\u6211\u5e0c\u671b\u4f60\u559c\u6b22\u8fd9\u4e2a\u5bf9 Kerberos \u534f\u8bae\u7684\u7b80\u77ed\u4ecb\u7ecd\u3002\u795d\u4f60\u5728\u672a\u6765\u7684\u63a2\u7d22\u4e2d\u4e00\u5207\u987a\u5229\uff01\nI hope you've enjoyed this quick little introduction to the Kerberos protocol. I wish you well in your futher explorations!\n\nTheodore Ts'o, February 1997.<\/code><\/pre>\n\n\n\n\u53c2\u8003\u94fe\u63a5\uff1a<\/h5>\n\n\n\n
http:\/\/web.mit.edu\/kerberos\/dialogue.html<\/a><\/p>\n\n\n\n