Design And Implementation Of Multi-Domain Unified Authentication And Authorization System Based On PKI

The development of computer scinece has brought great convience to our working, living and studying. At the same time, how to effectively manage the permisissions for each system in the network, preventing accessing from unauthorized users has become an important research issue in computer field. In a large networking environment, the increase of business systems and the diffrence in design and implement of authority management modules make the confusion in authority management.The united authentication and authorization scheme solves this problem. Using united authentication and authorization scheme in business systems simplifies the design and implement of authority management module, improves the safety performance of the network, and make security administrator more efficient.Kerberos is a commonly used computer network authentication protocol which allows nodes communicating over a non-secure network to prove their identity to one another. As Kerberos uses symmetric key cryptography in authenticating phrase, it causes two problems during the actual use. Firstly, both of the nodes need to fetch shared key over a security channel and the AS (Authentication Server) need to store each shared key. It takes a huge security hole. Once the hacker hacked the security channel or the AS, part or all of the systems would collapse. Secondly AS needs to manage keys of each node. It will impact the performance of the system.Firstly, based on Kerberos protocol, this paper designs a unified authentication and authorization scheme which uses public-key cryptograph in authentication phrase. AS doesn’t need to store shared keys and only need to store the informations of digital certificate which can get though online certificate server. So the scheme solves previous problems, makes the systems more secure and improves the performance of the systems.Secondly, under the circumstances of multi-domain, this paper designs a scheme to build topology of authentication servers, provides the solution for cross-domain authentication and ahthorization, making nodes be able to handle multi-domain authentication and authorization.Finally, under the previous scheme, this paper designs and implements mutli-domain unified authentication and authorizaiton system based on Public Key Infrastructure and describles detail of design and implement for each moudule. The system can protect against from replay attack and Man-in-the-Middle attack to some extend by using the technology of strict timestamp and backward verification. Many tests show the system agrees with the requirement for performance.