SSL 和 Kerberos 身份验证之间的区别?
我试图了解 SSL 和 Kerberos 身份验证之间的实际区别是什么,以及为什么有时我同时拥有 SSL 流量和 Kerberos。 或者 Kerberos 是否以任何方式使用 SSL?
有人可以帮忙吗? 谢谢你!
I am trying to understand what's the actual difference between SSL and Kerberos authentications, and why sometimes I have both SSL traffic and Kerberos.
Or does Kerberos use SSL in any way?
Anyone could help?
Thank you!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(9)
简而言之:
Kerberos 通常不会加密传输数据,但 SSL 和 TLS 会加密。
相反, SSL 和 TLS 通常不会将您的 Windows 域登录名传输和验证到服务器,但 Kerberos 会这样做。
In short:
Kerberos usually does not encrypt transferring data, but SSL and TLS do.
In opposite, SSL and TLS usually do not transfer and proof Yours Windows domain login name to the server, but Kerberos does.
而 Kerberos 和 SSL 都是协议,Kerberos 是身份验证协议,但 SSL 是加密协议。 Kerberos 通常使用 UDP,SSL 使用(大多数时候)TCP。 SSL 身份验证通常是通过检查服务器和客户端的 RSA< 来完成的/a> 或 ECDSA 密钥嵌入在名为 X.509 证书。 您通过您的证书和相应的密钥进行身份验证。 使用 Kerberos,您可以通过密码或其他方式进行身份验证。 Windows 使用 Kerberos 例如,在域中使用时。
请记住:SSL 的最新版本称为传输层安全性 TLS。
While Kerberos and SSL are both protocols, Kerberos is an authentication protocol, but SSL is an encryption protocol. Kerberos usually uses UDP, SSL uses (most of the time) TCP. SSL authentication is usually done by checking the server's and the client's RSA or ECDSA keys embedded in something called X.509 certificates. You're authenticated by your certificate and the corresponding key. With Kerberos, you can be authenticated by your password, or some other way. Windows uses Kerberos for example, when used in domain.
Keep in mind: Recent versions of SSL are called TLS for Transport Layer Security.
简而言之,Kerberos 是一种通过受信任的第三方为客户端和服务器建立相互身份信任或身份验证的协议,而 SSL 仅确保服务器的身份验证,并且仅当其公钥已建立时通过另一个渠道值得信赖。 两者都提供服务器和客户端之间的安全通信。
更正式地(但没有进入数学证明),给定客户端 C、服务器 S 和第三方 T,它们都 C >C 和 S 信任:
Kerbeos 身份验证后,确定:
SSL 具有安全连接,另一方面,仅确定:
显然,Kerberos 建立了更强大、更完整的信任关系。
此外,为了通过 SSL 建立 S 的身份,C 需要先了解 S,或者通过外部方式来确认这种信任。 对于大多数人的日常使用,这以根证书的形式出现,并缓存S的证书以供将来交叉引用。
如果没有这种先验知识,SSL 很容易受到中间人攻击,其中第三方能够通过在 S 之间中继通信来冒充 S 到 C他们使用 2 个独立的安全通道连接到 C 和 S。 要破坏 Kerberos 身份验证,窃听者必须伪装成 S 和 C 的 T。 但请注意,根据 Kerberos 的目标,信任集仍然未被破坏,因为根据前提条件“C 和 S 信任,最终状态仍然是正确的” T”。
最后,正如评论中指出的那样,Kerberos 可以并且已经扩展到使用类似 SSL 的机制来建立 C 和 T 之间的初始安全连接。
To put simply, Kerberos is a protocol for establishing mutual identity trust, or authentication, for a client and a server, via a trusted third-party, whereas SSL ensures authentication of the server alone, and only if its public key has already been established as trustworthy via another channel. Both provides secure communication between the server and client.
More formally (but without getting into mathematical proofs), given a client C, server S, and a third-party T which both C and S trust:
After Kerbeos authentication, it is established that:
SSL, on the other hand, only establishes that:
Clearly, Kerberos establishes a stronger, more complete trust relationship.
Additionally, to establish the identity of S over SSL, C needs prior knowledge about S, or an external way to confirm this trust. For most people's everyday use, this comes in the form of Root Certificates, and caching of S's certificate for cross-referencing in the future.
Without this prior knowledge, SSL is susceptible to man-in-the-middle attack, where a third-party is able to pretend to be S to C by relaying communication between them using 2 separate secure channels to C and S. To compromise a Kerberos authentication, the eavesdropper must masquerade as T to both S and C. Note, however, that the set of trusts is still unbroken according to the goal of Kerberos, as the end-state is still correct according to the precondition "C and S trusts T".
Finally, as it has been pointed out in a comment, Kerberos can be and has been extended to use SSL-like mechanism for establishing the initial secure connection between C and T.
SSL 使用公钥加密:
Kerberos 不使用公钥加密。 它使用受信任的第三方。 这是一个草图:
2
SSL uses public key cryptography:
Kerberos does not use public key cryptography. It uses a trusted 3rd party. Here's a sketch:
2
SSL 身份验证使用证书向服务器验证您自己,而 Kerberos 的工作方式完全不同。
SSL 可以手动导入并根据客户端和主机中的配置手动添加。
而 kerberos 是不通过网络传输密码的身份验证。 这里kerberos KDC服务器不需要与任何服务或主机通信来验证客户端。 客户端使用kerberos中存储的原理与kerberos服务器进行通信。 作为回报,kerberos 服务器使用预先存储的其他服务器的密钥表提供票证。 在另一台服务器中,客户端提供票证,服务将票证与自己的密钥表相匹配并验证客户端。
SSL authentication uses certifiactes to verify youself to server whereas Kerberos works entirely different.
SSL can be imported manually and added as per configurations in client and host manually.
Whereas kerberos is authentication where no password are transmitted over network. Here kerberos KDC server doesn't need to communicate with any service or host to verify the client. Client uses principle stored in kerberos to communicate with kerberos server. In return kerberos server provides ticket using keytab of other server stored beforehand. In the other server, the client provides the ticket and services matches the ticket with their own keytab and verify the client.
简单地说,
SSL就是对数据进行加密,使网络中试图窃取数据的人无法理解该数据。
Kerberos 是一种网络身份验证协议,有助于验证客户端与服务器的通信,而无需在请求期间共享任何密码/令牌。
Simply put,
SSL is to encrypt the data so that the data cannot be understood by someone who is trying to steal it out in the network.
Kerberos is a network authentication protocol which helps in authenticating a client to talk to server without sharing any password/token during the time of the request.
来自https://www.eldos.com/security/articles/7240。 php?page=all,
Kerberos 和 TLS 不是可以比较的东西。 他们有不同的目标和不同的方法。 在文章的开头,我们提到了“哪个更好”和“选择什么”等常见问题。 前者根本不是一个问题:如果你以正确的方式使用它,没有什么是更好的,一切都是好的。 后一个问题值得认真考虑:选择什么取决于你拥有什么和你想要什么。
如果您希望在某种意义上保护您的通信,使任何人都无法读取或篡改它,也许正确的选择是使用 TLS 或基于它的其他一些协议。 使用 TLS 来保护 HTTP 承载的万维网流量的一个很好的例子是使用 HTTPS。 对于安全文件传输,您可以使用 FTPS,并考虑到 SMTP(尽管它代表“简单”邮件传输协议,而不是“安全”)也可能受到 TLS 的保护。
另一方面,如果您需要管理用户对服务的访问,您可能需要使用 Kerberos。 例如,想象一下,您有多个服务器,例如 Web 服务器、FTP、SMTP 和 SQL 服务器,以及可选的其他服务器,所有内容都在一台主机上。 某些客户端可以使用 SMTP 和 HTTP,但不允许使用 FTP,其他客户端可以使用 FTP,但无法访问您的数据库。 这正是 Kerberos 使用时的情况,您只需在 Authentication Server 中描述用户权限和管理策略即可。
From https://www.eldos.com/security/articles/7240.php?page=all,
Kerberos and TLS are not the things to compare. Their have different objectives and different methods. In the beginning of our article we mentioned the frequently asked questions like “which is better” and “what to choose”. The former is not a question at all: nothing is better and everything is good if you use it in a right way. The latter question is worth a serious consideration: what to choose depends on what you have and what you want.
If you want to secure your communications in a sense that nobody can read it or tamper it, perhaps the right choice is to use TLS or some other protocols based on it. A good example of TLS usage for securing World Wide Web traffic carried by HTTP is to use HTTPS. For secure file transferring you may use FTPS, and take into account that SMTP (though it stands for a “simple” mail transfer protocol, not “secure”) is also may be protected with TLS.
On the other hand, if you need to manage user access to services, you may want to use Kerberos. Imagine, for example, that you have several servers like Web server, FTP, SMTP and SQL servers, and optionally something else, everything on one host. Some clients are allowed to use SMTP and HTTP, but not allowed to use FTP, others may use FTP but don’t have access to your databases. This is exactly the situation when Kerberos is coming to use, you just have to describe user rights and your administrative policy in Authentication Server.
来自 http://web.mit.edu/kerberos/:
Kerberos 是由 MIT 创建的,作为这些网络安全问题的解决方案。 Kerberos 协议使用强大的加密技术,以便客户端可以通过不安全的网络连接向服务器证明其身份(反之亦然)。 客户端和服务器使用 Kerberos 证明其身份后,还可以对所有通信进行加密,以在开展业务时确保隐私和数据完整性。
同时:
SSL 用于通过公钥加密建立服务器认证。
From http://web.mit.edu/kerberos/:
Kerberos was created by MIT as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.
Meanwhile:
SSL is used for establishing server<-->server authentication via public key encryption.
简短的回答:SSL 和 Kerberos 都使用加密,但 SSL 使用在会话期间不变的密钥,而 Kerberos 使用多个密钥来加密客户端与客户端之间的通信。
在 SSL 中,加密由通信的两端直接处理,而在 Kerberos 中,加密密钥由客户端和服务器之间的第三方(某种中间人)提供。
A short answer: SSL and Kerberos both use encryption but SSL uses a key that is unchanged during a session while Kerberos uses several keys for encrypting the communication between a client and a client.
In SSL, encryption is dealt with directly by the two ends of communication while in Kerberos, the encryption key is provided by a third party - some kind of intermediate - between the client and the server.