身份认证(identity authentication)

题目要求

快递小哥不会很细致的核实身份,允许代领,存在很多不安全因素。
设计一款基于手机的app,用于快递小哥验证身份,顾客领取快递。具体认证方法不限,简单易行。

(1)给出:app包含哪些部分(可加图示),每部分的功能
(2)模仿kerberos的写法,描述交互过程,并加说明

模仿kerberos的假设

  • 快递小哥需要做的是证实顾客真实身份与其所声称的身份相符
  • 顾客不会主动泄露只有自己和KDC知道的密码
  • 存在权威第三方(KDC)会告诉用户快递票据
    KDC与所有用户(客户和快递员)两两拥有一套对称密钥

名词解释

  • KDC(Key Distribution Center)= 密钥分发中心
  • TGT(Ticket Granting Ticket)= 快递票据(取件二维码)
  • goal = 快递信息
  • SS(Service Server)= 特定服务提供端(快递员)
  • A = 客户

第一阶段 用户登录AS获取票据

用户发送自己的用户名到KDC服务器。KDC服务器会生成相应的TGT票据,打上时间戳,在本地数据库中查找该用户的密钥,并用该密钥对TGT进行加密,将结果发还给客户端用户。客户端收到该信息,并使用自己的密钥进行解密之后,就能得到TGT票据了。

用户发送自己的用户名到KDC服务器。KDC服务器会生成相应的TGT票据,打上时间戳,在本地数据库中查找该用户的密钥,并用该密钥对TGT进行加密,将结果发还给客户端用户。客户端收到该信息,并使用自己的密钥进行解密之后,就能得到TGT票据了。

用户本地登录:输入, 密码
本地客户端使用密码生成密钥EKA,同时发送明文给KDC:
A -> KDC : IDA || IDSS
AS检查ID在本地数据库中,使用A的密码生成密钥EKA加密返回A与TGS通讯的密钥K,快递信息goal,TGS与KDC密钥加密的(包括K,IDA,时间戳LT):
KDC -> A : EKA[K || goal || EKSS[ IDA || LY || goal]]
用户使用自己生成的EKA解密消息(用户向KDC证明了自己的身份)获得临时密钥K与加密的TGT
这里其他人不知道密码,无法还原密钥

IDA
TGT

第二阶段 用户向快递员证明自己的身份

用户发送TGT与K加密的IDA给快递员,快递员核对ID就知道A是A了
用户申请取快递,发送,快递号goal,K加密的和时间戳:
A -> SS : EKSS[ IDA || LY || goal] || goal || K[LTnew || IDA]
快递员解密TGT,得到K和IDA,用K解密后半消息,得到IDA与LTnew,核对之后就知道时间没过期,用户是用户自己
交付快递

TGT
IDA
TLnew
————————

Title Requirements

Express brother will not carefully verify his identity and allow him to collect on behalf. There are many unsafe factors.
Design a mobile phone based app for the courier brother to verify his identity and the customer to receive the express. The specific authentication methods are not limited and simple.

(1) Give: which parts of the app (can be illustrated) and the functions of each part
(2) Imitate the writing method of Kerberos, describe the interaction process and explain it

模仿kerberos的假设

  • What the express boy needs to do is to prove that the customer’s real identity is consistent with his claimed identity
  • Customers will not voluntarily disclose passwords that only they and KDC know
  • There is an authoritative third party (KDC) that will tell users to express bills
    KDC has a set of symmetric keys with all users (customers and couriers)

Noun interpretation

  • KDC(Key Distribution Center)= 密钥分发中心
  • TGT(Ticket Granting Ticket)= 快递票据(取件二维码)
  • Goal = express information
  • SS (service server) = specific service provider (courier)
  • A = customer

In the first stage, the user logs in as to obtain the bill

The user sends his user name to the KDC server. The KDC server will generate the corresponding TGT ticket, stamp it with time stamp, find the user’s key in the local database, encrypt the TGT with the key, and send the result back to the client user. After the client receives the information and decrypts it with its own key, it can get the TGT ticket.

The user sends his user name to the KDC server. The KDC server will generate the corresponding TGT ticket, stamp it with time stamp, find the user’s key in the local database, encrypt the TGT with the key, and send the result back to the client user. After the client receives the information and decrypts it with its own key, it can get the TGT ticket.

User local login: enter password
The local client uses the password to generate the key Eka and sends clear text to KDC:
A -> KDC : IDA || IDSS
As checks the ID in the local database, generates the key Eka with a’s password, encrypts and returns the key K communicated between a and TGS, the express information goal, and the encrypted keys of TGS and KDC (including K, IDA, timestamp LT):
KDC -> A : EKA[K || goal || EKSS[ IDA || LY || goal]]
The user’s encryption key (ekdt) is used to prove the user’s identity to the user
Other people here don’t know the password and can’t restore the key

IDA
TGT

In the second stage, users prove their identity to the courier

The user sends the IDA encrypted by TGT and K to the courier. The courier checks the ID and knows that a is a
The user applies for express delivery, delivery, express number goal, K, encrypted and time stamp:
A -> SS : EKSS[ IDA || LY || goal] || goal || K[LTnew || IDA]
The courier decrypts the TGT, gets K and Ida, decrypts the second half of the message with K, gets IDA and ltnew, and checks it to know that the time has not expired. The user is himself
Delivery express

TGT
IDA
TLnew