{"id":423,"date":"2017-03-19T22:01:00","date_gmt":"2017-03-19T14:01:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=423"},"modified":"2025-11-04T01:40:27","modified_gmt":"2025-11-03T17:40:27","slug":"authentication-system","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/423","title":{"rendered":"Authentication System"},"content":{"rendered":"\n

authentication(\u8a8d\u8b49)<\/strong>:\u7528\u4f86\u78ba\u8a8d\u901a\u8a0a\u5925\u4f34\u4e0d\u662f\u5192\u724c\u8ca8\u7684\u6280\u8853
\u6839\u64da\u5171\u4eab\u79d8\u5bc6\u9375\u503c\u8a8d\u8b49
\u4ee5c\/r(challenge-response,\u6311\u6230\u56de\u61c9)\u70ba\u4e3b\u7684\u7cfb\u7d71
ex: LM(windows lan manager),chap,mschap,kdc,kerberos
\u67b6\u69cb\u5982\u4e0b\uff1a<\/strong>
\u30001,a\u5411b\u50b3\u4e00\u8a0a\u606f
\u30002,b\u6311\u6230a,\u5373\u5c07\u4e00\u4e82\u6578\u50b3\u7d66a
\u30003,a\u7528ab\u5171\u4eabkey\u5c07\u6b64\u4e82\u6578\u52a0\u5bc6\u5728\u50b3\u7d66b,\u7576b\u770b\u5230\u5373\u78ba\u5b9a\u5c0d\u65b9\u662fa
\u30004,a\u6311\u6230b,\u5373\u5c07\u4e00\u4e82\u6578\u50b3\u7d66b
\u30005,b\u7528ab\u5171\u4eabkey\u5c07\u6b64\u4e82\u6578\u52a0\u5bc6\u5728\u50b3\u7d66a,\u7576a\u770b\u5230\u5373\u78ba\u5b9a\u5c0d\u65b9\u662fb
\u53ef\u9632replay attack
\u53ef\u80fd\u88abreflection attack(\u53cd\u5c04\u653b\u64ca)\u64ca\u6557,\u4f46\u53ef\u7528HMAC\u89e3\u6c7a
\u548c\u964c\u751f\u4eba\u4ea4\u63db\u9470\u5319\u7684\u65b9\u6cd5\u53ef\u7528diffie-hellman<\/p>\n\n\n\n

…….<\/p>\n\n\n\n

NTLM(nt lan manager)<\/strong>
\u5fae\u8edf\u5c08\u5c6c,\u4f7f\u7528\u6311\u6230\u56de\u61c9,\u55ae\u5411\u8a8d\u8b49,\u53ea\u5141\u8a31\u4f3a\u670d\u5668\u5c0d\u7528\u6236\u9032\u884c\u8eab\u5206\u8b58\u5225,\u9a57\u8b49\u901f\u5ea6\u8f03\u6162\uff0c\u4e0d\u80fd\u8de8\u7db2\u8def\u9a57\u8b49<\/p>\n\n\n\n

attribute<\/strong><\/td>LM<\/strong><\/td>NTLM v1<\/strong><\/td>NTLM v2<\/strong><\/td><\/tr>
password case sensitive<\/td>no<\/td>yes<\/td>yes<\/td><\/tr>
hash key length<\/td>56bit+56bit<\/td> <\/td> <\/td><\/tr>
password hash algorithm<\/td>des(ecb mode)<\/td>md4<\/td>md4<\/td><\/tr>
hash value length<\/td>64bit+64bit<\/td>128bit<\/td>128bit<\/td><\/tr>
C\/R key length<\/td>56bit+56bit+16bit<\/td>56bit+56bit+16bit<\/td>128bit<\/td><\/tr>
C\/R algorithm<\/td>des(ecb mode)<\/td>des(ecb mode)<\/td>hmac_md5<\/td><\/tr>
C\/R value lengh<\/td>64bit+64bit+64bit<\/td>64bit+64bit+64bit<\/td>128bit<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

NTLM and LM authentication<\/strong>
client  —authentication request—>  server
client  <—server-challenge-nonce—  server
client  —lm response – des(lm hash,nonce)—>   server
client  —ntlm response – des(unicode pwd,nonce)—>   server
client  <–authentication result—  server

LM(LAN Manager) hash steps <\/strong> 
1\u5c07password\u8f49\u63db\u6210uppercase
2\u4e0d\u8db314 character\u7684password\u6703\u88dc\u4e0a\u7a7a\u767d,\u8d85\u904e\u5247\u5207\u6389
3\u5c07password\u5f9e\u4e2d\u9593\u5207\u6210\u4e00\u534a,
4\u5206\u5225\u5c0d\u90192\u534aencrypted
5\u628a\u90192\u534a\u7684hash\u5408\u5728\u4e00\u8d77<\/p>\n\n\n\n

……….<\/p>\n\n\n\n

KDC(key distribution center,\u9375\u503c\u6563\u4f48\u4e2d\u5fc3\u8a8d\u8b49\u6cd5)<\/strong>
\u4e00\u500b\u96c6\u4e2d\u5f0f\u7684\u4f7f\u7528\u8005\u5e33\u865f\u8a0a\u606f\u8cc7\u6599\u5eab
\u6bcf\u500b\u4f7f\u7528\u8005\u548ckdc\u90fd\u6709\u4e00\u5171\u4eab\u7684\u9375\u503c,\u8a8d\u8b49\u548c\u8b70\u7a0b\u9375\u503c\u7ba1\u7406\u7686\u900f\u904ekdc\u9032\u884c,\u4f46\u53ef\u80fd\u6703\u906d\u9047\u91cd\u50b3\u653b\u64ca\u6cd5
\u904b\u4f5c\uff1a
\u30001,A,Ka(B,Ks)>kdc:a\u5411kdc\u8981\u6c42\u8207b\u901a\u8a0a,\u8207\u662f\u9001\u51fa\u7528a\u7684key\u52a0\u5bc6\u7684\u8b70\u7a0b\u9375\u503c(Ks)\u7d66kdc
\u30002,Kb(A,Ks)>b:kdc\u7528a\u7684key\u6253\u958b,\u5411b\u9001\u51fa\u7528b\u7684key\u52a0\u5bc6\u7684\u8b70\u7a0b\u9375\u503c(Ks)\u7d66b
\u30003,b\u7528b\u7684key\u6253\u958b\u5f8c\u53d6\u5f97\u8b70\u7a0b\u9375\u503cKs,\u5f97\u77e5a\u60f3\u548cb\u901a\u8a0a
\u4f7f\u7528needham-schroeder\u8a8d\u8b49\u5354\u5b9a:\u591a\u65b9\u6311\u6230\u56de\u61c9\u5354\u5b9a,\u53ef\u89e3\u6c7a\u91cd\u50b3\u653b\u64ca\u6cd5,\u4f46\u4ecd\u6709\u5c0f\u5f31\u9ede
\u904b\u4f5c\uff1aa\u5148\u548ckdc\u5354\u5546\u8981\u548cb\u901a\u8a0a\u5f8c,a\u5728\u548cb\u9032\u884c\u6311\u6230\u56de\u61c9\u7b49\u5354\u5546
\u4f7f\u7528otway-ress\u8a8d\u8b49\u5354\u5b9a\uff1aneedham-schroeder\u4fee\u6539\u7248,\u53ef\u89e3\u6c7a\u5c0f\u5f31\u9ede
\u904b\u4f5c\uff1aa\u5148\u50b3\u4e00\u8a0a\u606f\u7d66b,b\u5728\u548ckdc\u4e92\u76f8\u5354\u5546\u5f8c,kdc\u5728\u548ca\u5354\u5546<\/p>\n\n\n\n

………<\/p>\n\n\n\n

\u7528Kerberos\u9032\u884c\u8a8d\u8b49
\u5f9eneedham-schroeder\u6539\u8b8a\u800c\u4f86<\/p>\n\n\n\n

kerberos4<\/strong>
MIT\u7684athena\u8a08\u756b,\u8b93\u6709\u6388\u6b0a\u4f7f\u7528\u8005\u5728\u5de5\u4f5c\u7ad9\u53ef\u5b58\u53d6\u7db2\u8def\u4f3a\u670d\u7aef\u63d0\u4f9b\u7684\u670d\u52d9(\u8a8d\u8b49\u7cfb\u7d71)
\u5c07\u8a8d\u8b49\u7684\u5de5\u4f5c\u96c6\u4e2d\u5728\u4e00\u53f0\u7279\u5b9a\u7684\u4f3a\u670d\u5668
\u8f03\u5e38\u7528\u5728distributed architecture(\u5206\u6563\u5f0f\u67b6\u69cb)
\u4f7f\u7528\u50b3\u7d71\u52a0\u5bc6\u6cd5\u4f86\u9032\u884c\u8a8d\u8b49\u7a0b\u5e8f,\u52a0\u5bc6\u6cd5\u7528\u975e\u6a19\u6e96DES,\u50b3\u5c0e\u5f0f\u5bc6\u6587\u5340\u6bb5\u4e32\u63a5\u6a21\u5f0fPCBC\u63d0\u4f9b\u78ba\u8a8d\u6027\u670d\u52d9
AS(\u8a8d\u8b49\u4f3a\u670d\u7aef)\uff1a\u5c07\u5bc6\u78bc\u5132\u5b58\u5728\u96c6\u4e2d\u5f0f\u8cc7\u6599\u5eab,\u6e1b\u8f15\u4f3a\u670d\u7aef\u63d0\u4f9b\u670d\u52d9\u8ca0\u64d4,\u985e\u4f3ckdc
TGS(\u9580\u7968\u6838\u51c6\u4f3a\u670d\u7aef)\uff1a\u5c07ticket(\u9580\u7968)\u767c\u7d66\u88abAS\u78ba\u8a8d\u904e\u7684\u4f7f\u7528\u8005,\u7576\u8981\u5b58\u53d6\u65b0\u670d\u52d9\u6642\u4fbf\u7528\u9580\u7968\u5411TGS\u8b49\u660e\u81ea\u5df1\u8eab\u4efd
\u9580\u7968\u6700\u5927\u58fd\u547d1280\u5206\u9418
\u9818\u57df:\u7531Kerberos\u4f3a\u670d\u7aef,\u591a\u5ba2\u6236\u7aef,\u591a\u61c9\u7528\u4f3a\u670d\u5668\u7d44\u6210,\u4e0d\u540c\u9818\u57df\u53ef\u85c9\u7531tgs\u4e92\u901a
\u904b\u4f5c\u65b9\u5f0f\uff1a<\/strong>
\u30001.a\u6703\u5c07\u540d\u5b57\u50b3\u7d66as,as\u6703\u9001\u56de\u7528a\u7684key\u52a0\u5bc6\u7684\u8b70\u7a0b\u9375\u503c(Ks)\u548ctgs\u8a31\u53ef\u8b49(Ktgs(A,Ks))
\u30002.a\u6536\u5230\u5f8c\u7528a\u7684key\u89e3\u958b,\u53d6\u5f97\u8b70\u7a0b\u9375\u503c(Ks)\u548ctgs\u8a31\u53ef\u8b49(Ktgs(A,Ks))
\u30003,a\u5411tgs\u8981\u4f7f\u7528b\u4f3a\u670d\u5668\u7684\u8a31\u53ef\u8b49,\u4e26\u7528tgs\u8a31\u53ef\u8b49(Ktgs(A,Ks))\u8a3c\u660e\u662fa
\u30004,tgs\u6703\u7d66a\u4e8c\u500b\u53ef\u7528\u4f86\u8b93a\u53cab\u4f3a\u670d\u5668\u6e9d\u901a\u7684\u8b70\u7a0b\u9375\u503cKab,\u4e00\u500b\u53ea\u6709a\u80fd\u958b(Ks(B,Kab)),\u53e6\u4e00\u500b\u53ea\u6709b\u4f3a\u670d\u5668\u80fd\u958b(Kb(A,Kab))
\u30005.a\u6536\u5230\u5f8c\u5c07\u8b70\u7a0b\u9375\u503c(Kb(A,Kab))\u7d66b\u4f3a\u670d\u5668\u4e26\u56de\u61c9\u5f8c,a\u548cb\u4f3a\u670d\u5668\u5373\u53ef\u6e9d\u901a
\u30006,a\u82e5\u8981\u548c\u5176\u4ed6\u4f3a\u670d\u5668\u6e9d\u901a\u53ea\u9700\u5728\u5411tgs\u8981\u8207\u5176\u4ed6\u4f3a\u670d\u5668\u6e9d\u901a\u7684\u8a31\u53ef\u8b49\u5373\u53ef<\/p>\n\n\n\n

Kerberos5(\u89e3\u6c7a\u7b2c4\u7248\u7f3a\u5931)<\/strong>
\u70baIETF\u7684\u516c\u958b\u6a19\u6e96
\u53ef\u4f7f\u7528\u4efb\u4f55\u52a0\u5bc6\u6cd5
\u4f7f\u7528ASN.1\u548cBER\u5b9a\u7fa9\u6240\u6709\u8a0a\u606f\u7d50\u69cb
\u9580\u7968\u58fd\u547d\u4e0d\u9650
ps:
Windows 2000 Server\u5f8c\u4e4bServer,\u662f\u6839\u64daRFC 1510\u5be6\u4f5cKerberos\u5354\u5b9a <\/p>\n\n\n\n

ps:
\u5fae\u8edf\u7684kerberos\u4f7f\u7528tcp\/udp88<\/p>\n\n\n\n

……………<\/p>\n\n\n\n

802.1x<\/strong> \u4f7f\u7528\u8005\u8a8d\u8b49
802.1x\u9a57\u8b49\u548c802.11\u9a57\u8b49\u7a0b\u5e8f\u662f\u7368\u7acb\u5206\u958b\u7684\u3002 802.1x\u6a19\u6e96\u70ba\u5404\u7a2e\u9a57\u8b49\u548c\u91d1\u9470\u7ba1\u7406\u901a\u8a0a\u5354\u5b9a\u63d0\u4f9b\u67b6\u69cb
2001\u4e03\u6708IEEE\u6838\u53ef\uff0c\u76ee\u524d\u7121\u7dda\u7db2\u8def\u4e0a\u6700\u7406\u60f3\u7684\u8eab\u5206\u8a8d\u8b49\u8207\u5bc6\u9470\u7ba1\u7406\u5354\u5b9a
\u5b9a\u7fa9\u4e86\u9023\u63a5\u57e0\u67b6\u69cb\u5f0f\u7684\u7db2\u8def\u5b58\u53d6\u63a7\u5236<\/p>\n\n\n\n

IEEE\u9078\u64c7\u4e86EAP(Extensible Authentication Protocol,\u53ef\u5ef6\u4f38\u9a57\u8b49\u901a\u8a0a\u5354\u5b9a)\u505a\u70ba\u6a19\u6e96\u9a57\u8b49\u6a5f\u5236
EAP\u662f\u4e00\u7a2ePPP\u9ede\u5c0d\u9ede\u901a\u8a0a\u5354\u5b9a\u67b6\u69cb\u7684\u9a57\u8b49\u6280\u8853,\u901a\u5e38\u4f7f\u7528\u65bc\u9ede\u5c0d\u9edeLAN \u5340\u6bb5\u4e0a
\u5b9a\u7fa9\u4e86EAPOL(EAP over LAN,LAN\u4e0a\u7684 EAP)\uff0c\u9019\u662f\u4e00\u7a2e\u5c01\u88ddEAP\u8a0a\u606f\u4ee5\u4fbf\u5728Ethernet\u6216\u7121\u7ddaLAN\u5340\u6bb5\u4e0a\u50b3\u9001\u7684\u65b9\u6cd5<\/p>\n\n\n\n

\u80fd\u5c07\u7121\u6cd5\u901a\u904e\u8a8d\u8b49\u7684\u4f7f\u7528\u8005\u9694\u7d55\u65bc\u7db2\u8def\u4e4b\u5916\uff0c\u4f7f\u5176\u7121\u6cd5\u5229\u7528\u4efb\u4f55\u7db2\u8def\u8cc7\u6e90
\u4ee5\u57e0\u70ba\u57fa\u790e\u7684\u8a8d\u8b49\u6a5f\u5236,\u53ef\u7d50\u5408\u5f8c\u7aefRADIUS\u8a8d\u8b49\u4f3a\u670d\u5668\u78ba\u8a8d\u4f7f\u7528\u8005\u8eab\u5206
\u53ef\u907f\u514dMan-in-the-Middle(\u7d81\u67b6\u653b\u64ca)
\u5229\u7528\u52d5\u614bWEP\u52a0\u5bc6\u6a5f\u5236\u89e3\u6c7a\u539f\u672c\u975c\u614bWEP\u7684\u554f\u984c<\/p>\n\n\n\n

\u67b6\u69cb\uff1a<\/strong>
-Authenticator\uff1aAP(\u7121\u7dda\u5b58\u53d6\u9ede)\u4e0a\u7684\u908f\u8f2fLAN\u9023\u63a5\u57e0,\u8981\u6c42\u4e26\u4e14\u63a5\u53d7\u672a\u53d7\u4fe1\u4efb\u7aef\u7db2\u8def\u7bc0\u9ede\u7684\u8a8d\u8b49\u8acb\u6c42\u7684\u5be6\u9ad4\u3002
-Supplicant\uff1a\u7121\u7ddaLAN\u7db2\u5361\u8981\u6c42\u5b58\u53d6\u6709\u7dda\u7db2\u8def\u7684\u908f\u8f2fLAN\u9023\u63a5\u57e0\uff0c\u4e26\u4e14\u9700\u63a5\u53d7 Authenticator\u7684\u8a8d\u8b49\u7a3d\u6838\u3002
-PAE(Port Access Entity,\u9023\u63a5\u57e0\u5b58\u53d6\u5be6\u9ad4)\uff1a\u5177\u6709\u5b58\u53d6\u57e0\u7684\u4e00\u500b\u5be6\u9ad4\uff0c\u5177\u6709Authenticator, Supplicant\u6216\u5169\u8005\u7684\u529f\u80fd\u3002
-Authentication Server\uff1a\u5c0dAuthenticator\u4f9b\u8eab\u5206\u8a8d\u8b49\u670d\u52d9\u7684\u5be6\u9ad4\uff0c\u53ef\u80fd\u8207Authenticator\u5b58\u5728\u540c\u4e00\u4e3b\u6a5f\u5167\uff0c\u4f46\u5927\u591a\u6578\u7684\u72c0\u6cc1\u4e0b\u662f\u4e00\u53f0\u7368\u7acb\u7684\u4f3a\u670d\u5668\u3002<\/p>\n\n\n\n

\u529f\u80fd\uff1a<\/strong>
802.1x \u8acb\u6c42\u8005\u901a\u8a0a\u5354\u5b9a\u652f\u63f4
EAP(\u53ef\u5ef6\u4f38\u9a57\u8b49\u901a\u8a0a\u5354\u5b9a)\u7684\u652f\u63f4 – RFC 2284<\/p>\n\n\n\n

\u53d7\u652f\u63f4\u7684\u9a57\u8b49\u65b9\u6cd5\uff1a<\/strong>
MD5 – RFC2284,\u50c5\u7531\u8a8d\u8b49\u4f3a\u670d\u5668\u8a8d\u8b49\u7121\u7dda\u7db2\u8def\u4f7f\u7528\u8005\uff0c\u4f7f\u7528\u8005\u7121\u6cd5\u8a8d\u8b49\u5c0d\u65b9
EAP-TLS:RFC2716,RFC2246,windowsxp\u7528,\u76ee\u524d802.1x\u4e2d\u4ee5\u6191\u8b49\u70ba\u57fa\u790e\u7684\u8a8d\u8b49\u6a5f\u5236,\u80fd\u5920\u63d0\u4f9b\u96d9\u5411\u8a8d\u8b49\u6a5f\u5236
EAP-TTLS
Cisco LEAP(\u7121\u7dda\u53ef\u8f15\u5fae\u5ef6\u4f38\u7684\u9a57\u8b49\u901a\u8a0a\u5354\u5b9a)
PEAP(\u4fdd\u8b77\u7684EAP)
EAP-SIM,EAP-FAST
\u652f\u63f4Microsoft Windows XP\u3001Microsoft Windows 2000<\/p>\n\n\n\n

…………….<\/p>\n\n\n\n

RADIUS(Remote Authentication Dial-in User Service,\u9060\u7aef\u8a8d\u8b49\u64a5\u63a5\u4f7f\u7528\u8005\u670d\u52d9)<\/strong>
\u8a31\u591aISP\u6240\u4f7f\u7528\u7684\u8a8d\u8b49\u8207\u8a18\u5e33\u7cfb\u7d71,\u64a5\u5165ISP\u7684\u540d\u7a31\u548c\u5bc6\u78bc\u6703\u88ab\u50b3\u5230RADIUS\u4f3a\u670d\u5668,\u67e5\u770b\u8cc7\u8a0a\u662f\u5426\u6b63\u78ba,\u4e26\u6388\u6b0aISP\u7cfb\u7d71\u7684\u5b58\u53d6
\u5fae\u8edfEAP(extensible authentication protocol,\u53ef\u5ef6\u4f38\u9a57\u8b49\u901a\u8a0a\u5354\u5b9a)\u7684\u5be6\u4f5c<\/p>\n\n\n\n

\u4e3b\u8981\u662f\u8ca0\u8cacAAA(authentication, authorization and accountng)\u7684\u5de5\u4f5c,\u5982\u4e0b
Authentication(\u9a57\u8b49\u968e\u6bb5)\uff1a\u6839\u64da\u672c\u6a5f\u8cc7\u6599\u5eab\u9a57\u8b49\u4f7f\u7528\u8005\u540d\u7a31\u548c\u5bc6\u78bc\u3002\u9a57\u8b49\u8eab\u4efd\u5f8c\uff0c\u6388\u6b0a\u7a0b\u5e8f\u5c31\u6703\u958b\u59cb\u3002
authorization(\u6388\u6b0a\u968e\u6bb5)\uff1a\u6c7a\u5b9a\u662f\u5426\u5141\u8a31\u67d0\u500b\u5b58\u53d6\u8cc7\u6e90\u7684\u8981\u6c42\u3002IP \u4f4d\u5740\u6703\u88ab\u6307\u6d3e\u7d66 “\u64a5\u865f” \u7528\u6236\u7aef\u3002
accounting(\u6703\u8a08\u968e\u6bb5)\uff1a\u70ba\u4e86\u8da8\u52e2\u5206\u6790\u3001\u5be9\u6838\u3001\u968e\u6bb5\u6642\u9593\u8a18\u5e33\u3001\u6216\u6210\u672c\u914d\u7f6e\u6536\u96c6\u7684\u8cc7\u6e90\u4f7f\u7528\u8cc7\u8a0a\u3002<\/p>\n\n\n\n

UDP\u4e0a\u5c64\u5354\u8b70\uff0c\u8a8d\u8a3c\u670d\u52d9\u57e01812\uff0c\u8a18\u8cbb\u670d\u52d9\u57e01813
\u652f\u63f4\u5f88\u591a\u4e0d\u540c\u7684\u7528\u6236\u9a57\u8b49\u6a5f\u5236:LDAP,chap,pap\u7b49
\u652f\u63f4VSA(vendor specify attribute),\u5373\u53ef\u5b9a\u7fa9\u5ee0\u5546\u5c08\u7528Attributes<\/p>\n\n\n\n

RADIUS\u6578\u64da\u5305\u7684\u7d50\u69cb\u5305\u62ec
Code\uff1a\u985e\u578b
ID\uff1a\u5340\u5206\u4e0d\u540c\u7684\u8a0a\u606f
Length\uff1aradius\u6578\u64da\u5305\u9577\u5ea6
Authenticator:MD5\u52a0\u5bc6\u4f7f\u7528\u7684\u5b57\u7b26\u4e32
Attributes:\u5177\u9ad4\u5167\u5bb9,\u542btype(Attribute\u5177\u9ad4\u542b\u7fa9)length(type\u9577\u5ea6)value(type\u7684\u503c)<\/p>\n\n\n\n

… <\/p>\n\n\n\n

TACACS+(Terminal Access Controller Access Control System+)<\/strong>
\u524d\u8eab\u662fTACACS\u5c6cRFC 1492
\u5177\u6709AAA(Authentication\u3001Authorization\u3001Accounting)\u67b6\u69cb
\u4e00\u7a2e\u5b89\u5168\u63a7\u7ba1\u7684\u5354\u5b9a\uff0c\u8ca0\u8cac\u63a7\u7ba1\u5b89\u5168\u7684\u4f3a\u670d\u5668\u8207\u7db2\u8def\u8a2d\u5099\u9593\u6e9d\u901a\u5b58\u53d6\u63a7\u5236\u7684\u8cc7\u8a0a\u3002
\u7576\u9060\u7aef\u4f7f\u7528\u8005\u60f3\u8981\u900f\u904e\u7db2\u8def\u4f7f\u7528\u516c\u53f8\u5167\u90e8\u7684\u8cc7\u6e90\u6642\uff0c\u5fc5\u9808\u5148\u7d93\u904e\u5b89\u5168\u4f3a\u670d\u5668\u7684\u6aa2\u67e5\u8207\u653e\u884c\u5f8c\uff0c\u624d\u80fd\u5920\u5728\u7db2\u8def\u4e0a\u53d6\u5f97\u88ab\u6388\u6b0a\u7684\u8cc7\u6e90<\/p>\n\n\n\n

…………….<\/p>\n\n\n\n

PAP(Password Authentication Protocol,\u5bc6\u78bc\u9a57\u8b49\u901a\u8a0a\u5354\u5b9a)<\/strong>
2way handshake,\u7531\u5ba2\u6236\u7aef\u63d0\u51fa
PAP\u662f\u500b\u4e0d\u56b4\u8b39\u7684\u9a57\u8b49\u5354\u5b9a,\u5bc6\u78bc\u662f\u660e\u78bc,\u6240\u4ee5\u88ab\u7aca\u53d6\u7684\u6a5f\u6703\u5f88\u9ad8
\u5c0d\u65bcplayback(\u64ad\u653e)\u6216trial-and-error(\u91cd\u8907\u5617\u8a66\u932f\u8aa4)\u653b\u64ca\u7121\u6cd5\u9632\u7bc4,\u4f7f\u5f97\u9060\u7aef\u7bc0\u9ede\u6613\u8655\u65bc\u983b\u7e41\u8207\u5b9a\u6642\u767b\u5165\u653b\u64ca\u63a7\u5236\u4e4b\u4e0b
\u53ea\u904b\u4f5c\u4e00\u6b21,\u5728\u521d\u59cb\u9023\u7dda\u6642
\u904b\u4f5c\u904e\u7a0b:<\/strong>
1\u9060\u7aef\u4f7f\u7528\u8005\u6703\u91cd\u8907\u7684\u9001\u51fa\u4ed6\u7684HOST NAME\u53ca\u5bc6\u78bc\u7d66\u4f60\u7684ROUTER,\u76f4\u5230\u88ab\u63a5\u53d7\u6216\u8005\u662f\u65b7\u7dda
2\u5982\u679c\u7b26\u5408,\u4f60\u7684ROUTER\u5c31\u6703\u9001\u51fa\u63a5\u53d7\u7684\u56de\u61c9<\/p>\n\n\n\n

CHAP(challenge handshake authentication protocol,\u76e4\u554f\u4ea4\u63e1\u5f0f\u9a57\u8b49\u5354\u5b9a)<\/strong>
3way handshake,\u7531\u4f3a\u670d\u7aef\u63d0\u51fa,
\u4f7f\u7528md5\u4e0d\u53ef\u9006\u8f49\u52a0\u5bc6\u6587\u5b57,\u53ef\u9632\u6b62\u91cd\u9001\u653b\u64ca
\u6703\u904b\u4f5c\u591a\u6b21,\u5728\u521d\u59cb\u9023\u7dda\u6642\u548c\u9023\u7dda\u4e2d\u6703\u96a8\u6a5f\u5411\u5ba2\u6236\u7aef\u9001\u51fachallenge(\u6311\u6230\u6307\u4ee4)\u9a57\u8b49\u4ee5\u907f\u514d\u7b2c\u4e09\u8005\u5192\u5145\u5ba2\u6236\u7aef
\u904b\u4f5c\u904e\u7a0b:<\/strong>
1\u4f60\u7684ROUTER\u6703\u5148\u9001\u500bCHALLENGE\u4fe1\u865f\u7d66\u4f60
2\u6536\u5230\u9019\u4fe1\u865f\u6642,\u6703\u7528\u6536\u5230\u7684CHALLENGE\u8a0a\u606f\u8ddf\u4f60\u7684\u5bc6\u78bc\u505aHASH\u6f14\u7b97,\u7136\u5f8c\u56de\u61c9\u51fa\u53bb
3\u76ee\u7684\u7aef\u6536\u5230\u5f8c,ROUTER\u518d\u62ff\u6536\u5230\u7684\u8a0a\u606f\u548c\u4ed6\u81ea\u5df1\u8a08\u7b97\u51fa\u4f86\u7684\u7d50\u679c\u505a\u6bd4\u5c0d,\u7136\u5f8c\u518d\u56de\u61c9\u63a5\u53d7\u6216\u62d2\u7d55<\/p>\n\n\n\n

MS-CHAP<\/strong>
\u5fae\u8edf\u9060\u7aef\u9a57\u8b49\u7528\u4f46\u4e26\u975e\u6bcf\u7a2eppp\u90fd\u652f\u63f4,\u4f46\u5c0dpptp\u6709\u9644\u52a0\u597d\u8655,\u4f7f\u7528MD4,\u548cchap\u5dee\u4e0d\u591a
MS-CHAPv2
<\/strong>\u66f4\u5b89\u5168\u7684\u9a57\u8b49<\/p>\n\n\n\n

……………………….. <\/p>\n\n\n\n

\u62cb\u68c4\u5f0f\u5bc6\u78bc\u7cfb\u7d71\u9032\u884c\u8a8d\u8b49<\/strong>
\u6bcf\u4e00\u6b21\u8981\u4f7f\u7528\u7cfb\u7d71\u6642\u4fbf\u8981\u6c42\u4e00\u500b\u5bc6\u78bc
\u53ef\u89e3\u6c7a\u88ab\u6514\u622a,\u91cd\u9001\u653b\u64ca,\u7e5e\u904ehash\u6280\u8853
RSA securID\uff1a\u4f7f\u7528\u786c\u9ad4(\u5361\u7247,\u5bc6\u78bc\u9375\u76e4)\u6216\u8edf\u9ad4\u7684\u9a57\u8b49\u8005,\u9a57\u8b49\u8005\u5bc6\u78bc\u6bcf60\u79d2\u6539\u8b8a\u4e00\u6b21
S\/key:\u4f7f\u7528\u901a\u95dc\u5bc6\u8a9e\u7522\u751f\u4e00\u6b21\u6027\u5bc6\u78bc,\u4f46\u5728\u50b3\u8f38\u8cc7\u6599\u6642\u6c92\u6709\u96b1\u5bc6\u6027<\/p>\n\n\n\n

\u516c\u5171\u9375\u503c\u5bc6\u78bc\u6cd5\u9032\u884c\u8a8d\u8b49<\/strong>
\u4ee5\u6191\u8b49\u70ba\u4e3b\u7684\u9a57\u8b49
\u904b\u4f5c\uff1a
1,a\u5411\u76ee\u9304\u4f3a\u670d\u5668\u53d6\u5f97b\u7684\u516c\u9470
2,a\u7528b\u7684\u516c\u9470\u52a0\u5bc6\u4e00\u4e82\u6578(Ra)\u50b3\u7d66b,\u4e26\u5411b\u8981\u6c42\u901a\u8a0a
3,b\u89e3\u958b\u5f8c\u5411\u76ee\u9304\u4f3a\u670d\u5668\u53d6\u5f97a\u7684\u516c\u9470,\u4e26\u5c07a\u7684\u4e82\u6578(Ra)\u548cb\u4e82\u6578(Rb)\u53ca\u8b70\u7a0b\u9375\u503c(Ks)\u7528a\u7684\u516c\u9470\u52a0\u5bc6\u5728\u50b3\u7d66a
4,a\u89e3\u958b\u5f8c\u770b\u5230\u4e82\u6578(Ra)\u8b49\u660e\u5c0d\u65b9\u662fb,\u4e26\u5c07b\u7684\u4e82\u6578(Rb)\u7528\u8b70\u7a0b\u9375\u503c(Ks)\u52a0\u5bc6\u4e26\u50b3\u7d66b
5,b\u89e3\u958b\u5f8c\u770b\u5230b\u7684\u4e82\u6578(Rb)\u8a3c\u660e\u5c0d\u65b9\u662fa<\/p>\n","protected":false},"excerpt":{"rendered":"

authentication(\u8a8d\u8b49):\u7528\u4f86\u78ba\u8a8d\u901a\u8a0a\u5925\u4f34\u4e0d\u662f\u5192 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[375],"tags":[],"class_list":["post-423","post","type-post","status-publish","format-standard","hentry","category-cryptographic-fundamentals"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=423"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/423\/revisions"}],"predecessor-version":[{"id":2851,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/423\/revisions\/2851"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}