Kerberos协议的介绍

因为要研究单点登录(Single Sign-On SSO)的原理，Kerberos是必然会涉及的一项技术。在研究这个问题时，发现网上一致推荐麻省理工学院的一篇文章，这是用四幕话剧形式来解释Kerberos的一篇有趣轻松的文章。我尝试着把中英文对照都放在这里，我个人倾向于直接看 英文。

Designing an Authentication System:
a Dialogue in Four Scenes

Originally written by Bill Bryant, February 1988.

Cleaned up and converted to HTML by Theodore Ts'o, February, 1997. An afterword describing the changes in Version 5 of the Kerberos protocol was also added.

Abstract

This dialogue provides a fictitious account of the design of an open-network authentication system called "Charon." As the dialogue progresses, the characters Athena and Euripides discover the problems of security inherent in an open network environment. Each problem must be addressed in the design of Charon, and the design evolves accordingly. Athena and Euripides don't complete their work until the dialogue's close.

When they finish designing the system, Athena changes the system's name to "Kerberos," the name, coincidentally enough, of the authentication system that was designed and implemented at MIT's Project Athena. The dialogue's "Kerberos" system bears a striking resemblence to the system described in Kerberos: An Authentication Service for Open Network Systems presented at the Winter USENIX 1988, at Dallas, Texas.

Contents

• Dramatis Personae
• Scene I
• Scene II
• Scene III
• Scene IV

Dramatis Personae

Athena	an up and coming system developer.
Euripides	a seasoned developer and resident crank.

Scene I

A cubicle area. Athena and Euripides are working at neighboring terminals.
一个小工作间。Athena和Euripides正在相邻的终端上工作。

Athena:	Hey Rip, this timesharing system is a drag. I can't get any work done because everyone else is logged in. 嗨，坏蛋，这个分时操作系统实在太慢了。我根本无法工作，因为其他人都登上去了。
Euripides:	Don't complain to me. I only work here. 别对我报怨。我只是在这儿工作。
Athena:	You know what we need? We need to give everyone their own workstation so they don't have to worry about sharing computer cycles. And we'll use a network to connect all the workstations so folks can communicate with one another. 你知道我们需要什么吗?我们需要给每个人一台工作站，这样大家就不用担心计算机的速度了。并且，我们需要一个网络把所有的计算机都连起来，这样他们就可以互相交流了。
Euripides:	Fine. So what do we need, about a thousand workstations? 好。那我们差不多要一千台工作站吧?
Athena:	More or less. 差不多吧。
Euripides:	Have you seen the size of a typical workstation's disk drive? There isn't enough room for all the software that you have on a timesharing machine. 你知道一台普通的工作站的硬盘有多大吗?那里放不下一个分时系统上所有的软件。
Athena:	I figured that out already. We can keep copies of the system software on various server machines. When you login to a workstation, the workstation accesses the system software by making a network connection with one of the servers. This setup lets a whole bunch of workstations use the same copy of the system software, and it makes software updates convenient. You don't have to trundle around to each workstation. Just modify the system software servers. 我已经有主意了。我们可以把系统软件放到不同的服务器上。当你登录到工作站时，工作站通过网络连接到服务器，访问上面的系统软件。这种设置让所有的工作站都使用同一个系统软件，并且方便软件的升級。你不需要在每台电脑间转来转去，只要改动服务器上的软件就可以了。
Euripides:	All right. What are you going to do about personal files? With a timesharing system I can login and get to my files from any terminal that is connected to the system. Will I be able to walk up to any workstation and automatically get to my files? Or do I have to make like a PC user and keep my files on diskette? I hope not. 好的。个人的文件怎么办呢?在分时操作系统上，我可以从任意一台终端登录并存取我的文件。我能到任意一台工作站上取我的文件吗?或者，我要象PC用户一样把我的文件放到磁盘上去吗?我希望不。
Athena:	I think we can use other machines to provide personal file storage. You can login to any workstation and get to your files. 我想我们可以用其它机器来存个人的文件。你可以到任何一台机器上登录去取你的文件。
Euripides:	What about printing? Does every workstation have its own printer? Whose money are you spending anyway? And what about electronic mail? How are you going to distribute mail to all these workstations? 打印怎么办呢?每个工作站都要有自已的打印机吗?谁来付钱?电子邮件呢?你怎么把邮件送到所有的工作站上去呢?
Athena:	Ah . . . Well obviously we don't have the cash to give everyone a printer, but we could have machines dedicated to print service. You send a job to a print server, and it prints it for you. You could do sort of the same thing with mail. Have a machine dedicated to mail service. You want your mail, you contact the mail server and pick up your mail. 啊……很明显我们没钱为每个人配一台打印机，但我们可以用机器专门做打印服务。你向打印服务器发送作业，它就为你打印。邮件也可以这样做。专门有一台邮件服务器。你想要你的邮件，就联系邮件服务器，取走你的邮件。
Euripides:	Your workstation system sounds really good Tina. When I get mine, you know what I'm going to do? I'm going to find out your username, and get my workstation to think that I am you. Then I'm going to contact the mail server and pick up your mail. I'm going to contact your file server and remove your files, and-- 你的工作站系统听起来很不错。如果我有一台，你知道我要做什么吗?我要找出你的用户名，让我的工作站认为我就是你。然后我就去邮件服务器取走你的邮件。我会连上你的文件服务器，删除你的文件，然后——
Athena:	Can you do that? 你能做得到吗?
Euripides:	Sure! How are these network servers going to know that I'm not you? 当然！这些网络服务器怎么会知道我不是你?
Athena:	Gee, I don't know. I guess I need to do some thinking. 嗯，我不知道。我想我需要思考一下。
Euripides:	Sounds like it. Let me know when you figure it out. 好吧。你想出来后告诉我。

Scene II

Euripides' office, the next morning. Euripides sits at his desk, reading his mail. Athena knocks on the door.

Euripides的办公室，第二天早上。Euripides坐在桌子边，看他的邮件。Athena来敲门。

Athena:	Well I've figured out how to secure an open network environment so that unscrupulous folks like you cannot use network services in other people's names. 我已经想出如何保护一个开放的网络环境，使像你那样不择手段的人无法用别人的名字使用网络服务。
Euripides:	Is that so? Have a seat. 真的吗？坐吧。
	She does. 她坐下了。
Athena:	Before I describe it, can I lay down one ground rule about this discussion? 在我开始描述之前，我可以为我们的讨论先做一个约定吗？
Euripides:	What's your rule? 什么约定？
Athena:	Well suppose I say something like the following: "I want my electronic mail, so I contact the mail server and ask it to send the mail to my workstation." In reality I'm not the entity that contacts the mail server. I'm using a program to contact the mail server and retrieve my mail, a program that is a CLIENT of the mail service program. 好，假定我这样说“我想要我的邮件，于是我与邮件服务器联系，请求它把邮件送到我的工作站上来。”事实上，我并不是联系邮件服务器的实体。我用一个程序来联系服务器并取回我的邮件，这个程序就是这个邮件服务的客户端。 But I don't want to say "the client does such-and-such" every time I refer to a transaction between the user and a network server. I'd just as soon say "I do such-and-such," keeping in mind of course that a client program is doing things on my behalf. Is that okay with you? 但我不想每次谈及用户与网络服务的交互时说“客户端怎样怎样”。我只想说“我怎样怎样”。当然要记住，是客户端程序正在代表我做事。这样可以吗?
Euripides:	Sure. No problem. 当然。没问题。
Athena:	Good. All right, I'll begin by stating the problem I have solved. In an open network environment, machines that provide services must be able to confirm the identities of people who request service. If I contact the mail server and ask for my mail, the service program must be able to verify that I am who I claim to be, right? 好。那么我要开始阐述我所解决的问题了。在一个开放的网络环境中，提供服务的机器必须能够确认请求服务的人的身份。如果我去邮件服务器请求我的邮件，服务程序必须能够验证我就是我声称的那个人。
Euripides:	Right. 是的。
Athena:	You could solve the problem clumsily by requiring the mail server to ask for a password before I could use it. I prove who I am to the server by giving it my password. 你可以用一个笨办法解决这个问题，让服务器要求你输入口令。通过输口令的办法我向服务器证明我是谁。
Euripides:	That's clumsy all right. In a system like that, every server has to know your password. If the network has one thousand users, each server has to know one thousand passwords. If you want to change your password, you have to contact all servers and notify them of the change. I take it your system isn't this stupid. 那确实很笨。在像那样的系统里，每一台服务器都必须知道你的口令。如果网络有一千个用户，那每台服务器就必须要知道一千个口令。如果你想修改口令，你就必须联系所有服务器，通知它们修改口令。我想你的系统不会这么笨。
Athena:	My system isn't stupid. It works like this: Not only do people have passwords, services have passwords too. Each user knows her or his password, each service program knows its password, and there's an AUTHENTICATION SERVICE that knows ALL passwords--each user's password, and each service's password. The authentication service stores the passwords in a single, centralized database. 我的系统没那么笨。它像这样工作的：不光人有口令，服务也有口令。每个用户知道他或她自已的口令，每个服务也知道它自已的口令。有一个认证服务知道所有的口令——用户的和服务的。认证服务把口令保存在一个单独的中央数据库中。
Euripides:	Do you have a name for this authentication service? 这个认证服务有名字吗？
Athena:	I haven't thought of one yet. Do you have any ideas? 我还没想好。你想一个吧？
Euripides:	What's the name of that fellow who ferries the dead across the River Styx? 渡送死人过冥河的家伙叫什么名字？
Athena:	Charon? 卡隆？
Euripides:	Yeah, that's him. He won't take you across the river unless you can prove your identity. 对，就是他。如果你不能证明你的身份的话，他就不会把你送过河。
Athena:	There you go Rip, trying to rewrite Greek mythology again. Charon doesn't care about your identity. He just wants to make sure that you're dead. 你瞎编，是不是想重写希腊神话。Charon不关心你的身份，他只想确定你死了。
Euripides:	Have you got a better name? 你有更好的名字吗？
	Pause. 停了一下。
Athena:	No, not really. 没有，真的没有。
Euripides:	Then let's call the authentication service "Charon." 好，那我们就管这个认证服务叫“Charon”。
Athena:	Okay. I guess I should describe the system, huh? 好，我猜我该描述一下这个系统了吧，嗯? Let's say you want to use a service, the mail service. In my system you cannot use a service unless, ah, Charon tells the service that you are who you claim to be. And you can't get the okay to use a service unless you have authenticated yourself to Charon. When you request authentication from Charon, you have to tell Charon the service for which you want the okay. If you want to use the mail server, you've got to tell Charon. 比如说你想用一种服务，邮件服务。在我的系统里，你无法使用一种服务，除非Charon告诉这个服务你确实是你所声称的人。也就是说你必须得到Charon的认证才能使用服务。当你向Charon请求认证的时候，你必须告诉Charon你要用的服务。如果你想用邮件服务，你必须告诉Charon。 Charon asks you to prove your identity. You do so by providing your secret password. Charon takes your password and compares it to the one that is registered for you in the Charon database. If the two passwords match, Charon considers your identity proven. Charon要求你证明你的身份。于是你提供你的密码。Charon拿你的密码和它数据库中登记的你的密码相比较。如果这两个密码匹配，Charon就认为你通过了验证。 Charon now has to convince the mail server that you are who you say you are. Since Charon knows all service passwords, it knows the mail service's password. It's conceivable that Charon could give you the password, which you could forward to the mail service as proof that you have authenticated yourself to Charon. 现在，Charon就必须要让邮件服务确信你是你所说的那个人。既然Charon知道所有服务的密码，它也知道邮件服务的密码。可以想到，Charon把邮件服务的密码给你，你就可以向邮件服务转发这个密码，证明你已通过Charon的验证。 The problem is, Charon cannot give you