摘要： Kerberos认证协议容易遭受口令攻击和重放攻击，且需要2次双线性对运算、2次指数运算和1次椭圆曲线上的点乘运算，计算量大。为此，利用高效的无证书密钥协商对Kerberos协议进行改进。用户与认证服务器之间通过使用无证书签密技术抵抗伪造攻击。分析结果证明，改进协议符合密钥协商的6个基本安全要求，满足已知密钥安全性、完美前向安全性、抗未知密钥共享安全性、密钥不可控性、已知会话临时信息安全性，能抵抗口令攻击、重放攻击、中间人攻击及密钥泄漏伪装攻击，并且仅需3次点乘运算，具有较高的效率。

关键词: Kerberos协议, 无证书公钥密码学, 密钥协商, 身份认证

Abstract: Kerberos authentication protocol is apt to suffer password attack and replay attack, and it needs double bilinear logarithmic operations, double exponent arithmetic and one dot multiplication on elliptic curve. Aiming at vulnerability and large amount of computation of Kerberos authentication protocol, this paper improves it with the help of high-efficient certificateless key agreement. In order to resist masquerade attacks, the certificateless signcryption technology is used between a user and authentication service. Analysis result proves that the improved protocol meets six basic security demands of key agreement. That’s to say, it can satisfy with the requirements of known key security, perfect forward security, resisting unknown key sharing security, keys’ uncontrollability and temporal known session information security. It can resist password attack, replay attack, intermediary attack and key exposure impersonation attack, and has higher efficiency with only three dot multiplications.

Key words: Kerberos protocol, Certificateless Public Key Cryptography(CL-PKC), key agreement, identity authentication

中图分类号: 

• TP309