Research On Kerberos Password Recovery And Security Reinforcement

With the development of distributed computing and cloud computing,the security issues of identity authentication and data transmission between nodes in distributed systems have become increasingly prominent.Kerberos is the most widely used identity authentication protocol in various information systems.The analysis,research and implementation of password recovery and security hardening technology have great application value and significance.Kerberos has a variety of implementation methods,using a variety of mainstream hash functions and encryption and decryption technology,currently commonly used AES and RC4 versions.This dissertation analyzes the protocol's authentication process,password generation method,and decryption methods by studying the relevant RFC documents of the protocol;obtaining authentication data passed through the network through Wireshark,using the password exhaustion method,restoring the encryption process,and comparing the results with The encrypted data obtained by packet capture is compared,and finally the user password is obtained.The thesis also improves the Kerberos authentication protocol in combination with the idea of mimic defense.The main work done in this article has the following three items:(1)An optimized password recovery algorithm for Kerberos authentication protocol is proposed.By analyzing the content and structure of the encrypted data,it is found that each value of the timestamp in the encrypted content is 0 ～ 9,the timestamp part is decrypted in advance,and the timestamp format is judged,the current exhaustive password is correct and No,instead of using the method of decrypting all the encrypted data and comparing the checksum given in the RFC document.The algorithm is based on timestamp verification,which reduces the HMAC-MD5 algorithm in each step of the algorithm cycle from 3 to 2 times,so that the probability of the HMACMD5-RC4 password recovery algorithm entering the second round of RC4 cycle is reduced to 10 One in 50,000 improves the efficiency of password recovery and improves the performance of password recovery by 30% through experiments.This part of the work corresponds to the third chapter of this article.(2)The password recovery algorithm of Kerberos authentication protocol is implemented on FPGA.Among them,the HMAC-MD5 algorithm in the first half of the program uses 64 parallel calculation pipeline algorithms for key calculation,the second half of the RC4 algorithm uses 140 algorithms in parallel calculation,and the two parts use a polling scheme to assign keys to the second half,and The HMAC-MD5,MD5,RC4 algorithms used in it are optimized for algorithms and registers.Through the comparison of experimental results,the algorithm efficiency of the FPGA platform has been improved by 30% compared to the GPU platform,and by more than 200 times compared with the CPU platform.This part of the work corresponds to the fourth chapter of this article.(3)Combining mimic defense to propose an improved scheme of Kerberos authentication protocol.By constantly changing the salt value and hash function,the internal structure of the protocol is always in the process of active change,and the passive change attribute is given to the protocol through the negative feedback mechanism,which makes the Kerberos authentication protocol show an uncertainty to the outside world,confusing Ciphertext structure,password recovery is difficult to implement.This part of the work corresponds to the fifth chapter of this article.