有六级的吗

四级作文和翻译，还有选词填空

[Page 400]
Chapter 14.Authentication Applications
14.1 Kerberos
Motivation
Kerberos Version 4
Kerberos Version 5
14.2 X.509Authentication Service
Certificates
AuthenticationProcedures
X.509 Version 3
14.3 Public-KeyInfrastructure
PKIX ManagementFunctions
PKIX ManagementProtocols
14.4 Recommended Reading and Web Sites
14.5 Key Terms,Review Questions, and Problems
Key Terms
Review Questions
Problems
Appendix 14AKerberos Encryption Techniques
Password-to-KeyTransformation
Propagating CipherBlock Chaining Mode
[Page 401]
We cannot enter intoalliance with neighboring princes until we are acquainted with their designs.
The Art of War, SunTzu
Key Points
Kerberos is anauthentication service designed for use in a distributed environment.
Kerberos makes useof a trusted third-part authentication service that enables clients and serversto
establishauthenticated communication.
X.509 defines theformat for public-key certificates. This format is widely used in a variety ofapplications.
A public keyinfrastructure (PKI) is defined as the set of hardware, software, people,policies, and
procedures needed tocreate, manage, store, distribute, and revoke digital certificates based onasymmetric
cryptography.
Typically, PKIimplementations make use of X.509 certificates.
This chapterexamines some of the authentication functions that have been developed tosupport application-level authentication and
digital signatures.
We begin by lookingat one of the earliest and also one of the most widely used services: Kerberos.Next, we examine the X.509
directoryauthentication service. This standard is important as part of the directoryservice that it supports, but is also a basic building
block used in otherstandards, such as S/MIME, discussed in Chapter 15. Finally, this chapterexamines the concept of a public-key
infrastructure(PKI).
[Page 401(continued)]
14.1. Kerberos
[1]
Kerberos is anauthentication service developed as part of Project Athena at MIT. The problemthat Kerberos addresses is this: Assume
an open distributedenvironment in which users at workstations wish to access services on serversdistributed throughout the network. We
would like forservers to be able to restrict access to authorized users and to be able toauthenticate requests for service. In this
environment, aworkstation cannot be trusted to identify its users correctly to networkservices. In particular, the following three threats
exist:
[1] "In Greekmythology, a many headed dog, commonly three, perhaps with a serpent's tail,the guardian of the
entrance ofHades." From Dictionary of Subjects and Symbols in Art, by James Hall,Harper & Row, 1979. Just as
the Greek Kerberoshas three heads, the modern Kerberos was intended to have three components toguard a
network's gate:authentication, accounting, and audit. The last two heads were neverimplemented.
A user may gainaccess to a particular workstation and pretend to be another user operatingfrom that workstation.
[Page 402]
A user may alter thenetwork address of a workstation so that the requests sent from the alteredworkstation appear to come
from theimpersonated workstation.
A user may eavesdropon exchanges and use a replay attack to gain entrance to a server or to disruptoperations.
In any of thesecases, an unauthorized user may be able to gain access to services and datathat he or she is not authorized to access.
Rather than buildingin elaborate authentication protocols at each server, Kerberos provides acentralized authentication server whose
function is toauthenticate users to servers and servers to users. Unlike most otherauthentication schemes described in this book,
Kerberos reliesexclusively on symmetric encryption, making no use of public-key encryption.
Two versions ofKerberos are in common use. Version 4 [MILL88, STEI88] implementations stillexist. Version 5 [KOHL94] corrects some
[2]
of the securitydeficiencies of version 4 and has been issued as a proposed Internet Standard(RFC 1510).
[2] Versions 1through 3 were internal development versions. Version 4 is the"original" Kerberos.
We begin thissection with a brief discussion of the motivation for the Kerberos approach.Then, because of the complexity of Kerberos, it
is best to startwith a description of the authentication protocol used in version 4. Thisenables us to see the essence of the Kerberos
strategy withoutconsidering some of the details required to handle subtle security threats.Finally, we examine version 5.
Motivation
If a set of users isprovided with dedicated personal computers that have no network connections,then a user's resources and files can be
protected byphysically securing each personal computer. When these users instead are servedby a centralized time-sharing system, the
time-sharingoperating system must provide the security. The operating system can enforceaccess control policies based on user identity
and use the logonprocedure to identify users.
Today, neither ofthese scenarios is typical. More common is a distributed architectureconsisting of dedicated user workstations (clients)
and distributed orcentralized servers. In this environment, three approaches to security can beenvisioned:
1.
Rely on eachindividual client workstation to assure the identity of its user or users andrely on each server to enforce a security
policy based on useridentification (ID).
2.
Require that clientsystems authenticate themselves to servers, but trust the client systemconcerning the identity of its user.
3.
Require the user toprove his or her identity for each service invoked. Also require that serversprove their identity to clients.
In a small, closedenvironment, in which all systems are owned and operated by a single organization,the first or perhaps the second
[3]
strategy maysuffice. But in a more open environment, in which network connections to othermachines are supported, the third
approach is neededto protect user information and resources housed at the server. Kerberossupports this third approach. Kerberos
assumes adistributed client/server architecture and employs one or more Kerberos serversto provide an authentication service.
[3] However, even aclosed environment faces the threat of attack by a disgruntled employee.
[Page 403]
The first publishedreport on Kerberos [STEI88] listed the following requirements:
Secure: A networkeavesdropper should not be able to obtain the necessary information toimpersonate a user. More
generally, Kerberosshould be strong enough that a potential opponent does not find it to be theweak link.
Reliable: For allservices that rely on Kerberos for access control, lack of availability of theKerberos service means lack of
availability of thesupported services. Hence, Kerberos should be highly reliable and should employa distributed server
architecture, withone system able to back up another.
Transparent:Ideally, the user should not be aware that authentication is taking place,beyond the requirement to enter a
password.
Scalable: The systemshould be capable of supporting large numbers of clients and servers. Thissuggests a modular,
distributedarchitecture.
To support theserequirements, the overall scheme of Kerberos is that of a trusted third-partyauthentication service that uses a protocol
based on thatproposed by Needhamand Schroeder [NEED78], which was discussed inChapter 7. It is trusted in thesense that clients
and servers trustKerberos to mediate their mutual authentication. Assuming the Kerberos protocolis well designed, then the
[4]
authenticationservice is secure if the Kerberos server itself is secure.
[4] Remember thatthe security of the Kerberos server should not automatically be assumed butmust be guarded
carefully (e.g., in alocked room). It is well to remember the fate of the Greek Kerberos, whomHercules was ordered
by Eurystheus tocapture as his Twelfth Labor: "Hercules found the great dog on its chainand seized it by the
throat. At once thethree heads tried to attack, and Kerberos lashed about with his powerful tail.Hercules hung on
grimly, and Kerberosrelaxed into unconsciousness. Eurystheus may have been surprised to seeHercules
alivewhen he saw thethree slavering heads and the huge dog they belonged to he was frightened outof his wits,
and leapt back intothe safety of his great bronze jar." From The Hamlyn Concise Dictionary ofGreek and Roman
Mythology, byMichael Stapleton, Hamlyn, 1982.
Kerberos Version 4

Version 4 ofKerberos makes use of DES, in a rather elaborate protocol, to provide theauthentication service. Viewing the protocol as a
whole, it isdifficult to see the need for the many elements contained therein. Therefore,we adopt a strategy used by Bill Bryant of Project
Athena [BRYA88] andbuild up to the full protocol by looking first at several hypotheticaldialogues. Each successive dialogue adds
additionalcomplexity to counter security vulnerabilities revealed in the precedingdialogue.
After examining theprotocol, we look at some other aspects of version 4.
A SimpleAuthentication Dialogue
In an unprotectednetwork environment, any client can apply to any server for service. Theobvious security risk is that of impersonation.
An opponent canpretend to be another client and obtain unauthorized privileges on servermachines. To counter this threat, servers must
be able to confirmthe identities of clients who request service. Each server can be required toundertake this task for each client/server
interaction, but inan open environment, this places a substantial burden on each server.
[Page 404]
An alternative is touse an authentication server (AS) that knows the passwords of all users andstores these in a centralized database. In
addition, the ASshares a unique secret key with each server. These keys have been distributedphysically or in some other secure
[5]
manner. Consider thefollowing hypothetical dialogue:
[5] The portion tothe left of the colon indicates the sender and receiver; the portion to theright indicates the contents
of the message, thesymbol || indicates concatenation.
IDC||PC||IDV
(1) C
AS:
Ticket
(2) AS
C:
IDC||Ticket
Ticket = E(Kv,[IDC||ADC||IDV])
(3) C
V:
where
C = client
AS = authenticationserver
V =server
IDC = identifier ofuser on C
IDV = identifier ofV
PC = password ofuser on C
ADC = networkaddress of C
Kv = secretencryption key shared by AS and V
In this scenario,the user logs on to a workstation and requests access to server V. The clientmodule C in the user's workstation requests
the user's passwordand then sends a message to the AS that includes the user's ID, the server'sID, and the user's password. The AS
checks its databaseto see if the user has supplied the proper password for this user ID andwhether this user is permitted access to
server V. If bothtests are passed, the AS accepts the user as authentic and must now convincethe server that this user is authentic. To
do so, the AScreates a ticket that contains the user's ID and network address and theserver's ID. This ticket is encrypted using the
secret key shared bythe AS and this server. This ticket is then sent back to C. Because the ticketis encrypted, it cannot be altered by C or
by an opponent.
With this ticket, Ccan now apply to V for service. C sends a message to V containing C's ID andthe ticket. V decrypts the ticket and
verifies that theuser ID in the ticket is the same as the unencrypted user ID in the message. Ifthese two match, the server considers the
user authenticatedand grants the requested service.
Each of theingredients of message (3) is significant. The ticket is encrypted to preventalteration or forgery. The server's ID (IDV) is
included in theticket so that the server can verify that it has decrypted the ticket properly.IDC is included in the ticket to indicate that this
ticket has beenissued on behalf of C. Finally, ADC serves to counter the following threat. Anopponent could capture the ticket transmitted
in message (2), thenuse the name IDC and transmit a message of form (3) from another workstation.The server would receive a valid
ticket that matchesthe user ID and grant access to the user on that other workstation. To preventthis attack, the AS includes in the ticket
the network addressfrom which the original request came. Now the ticket is valid only if it istransmitted from the same workstation that
initially requestedthe ticket.
[Page 405]
A More SecureAuthentication Dialogue
Although theforegoing scenario solves some of the problems of authentication in an opennetwork environment, problems remain. Two in
particular standout. First, we would like to minimize the number of times that a user has toenter a password. Suppose each ticket can be
used only once. Ifuser C logs on to a workstation in the morning and wishes to check his or hermail at a mail server, C must supply a
password to get aticket for the mail server. If C wishes to check the mail several times duringthe day, each attempt requires reentering
the password. We canimprove matters by saying that tickets are reusable. For a single logonsession, the workstation can store the mail
server ticket afterit is received and use it on behalf of the user for multiple accesses to themail server.
However, under thisscheme it remains the case that a user would need a new ticket for everydifferent service. If a user wished to access
a print server, amail server, a file server, and so on, the first instance of each access wouldrequire a new ticket and hence require the
user to enter thepassword.
The second problemis that the earlier scenario involved a plaintext transmission of the password[message (1)]. An eavesdropper could
capture the passwordand use any service accessible to the victim.
To solve theseadditional problems, we introduce a scheme for avoiding plaintext passwords anda new server, known as the
ticket-grantingserver (TGS). The new but still hypothetical scenario is as follows:
Once per user logonsession:
(1) C AS: IDC||IDtgs
(2) AS C: E(Kc,Tickettgs)
Once per type ofservice:
(3) C TGS:IDC||IDV||Tickettgs
(4) TGS C: Ticketv
Once per servicesession:
IDC||Ticketv
(5) C
V:
Tickettgs = E(Ktgs,[IDC||ADC||IDtgs||TS1||Lifetime1])
Ticketv = E(Kv,[IDC||ADC||IDv||TS2||Lifetime2])
The new service,TGS, issues tickets to users who have been authenticated to AS. Thus, the userfirst requests a ticket-granting ticket
(Tickettgs) from theAS. The client module in the user workstation saves this ticket. Each time the userrequires access to a new service,
the client appliesto the TGS, using the ticket to authenticate itself. The TGS then grants aticket for the particular service. The client saves
eachservice-granting ticket and uses it to authenticate its user to a server eachtime a particular service is requested. Let us look at the
details of thisscheme:
[Page 406]

房山能动英语屋——英语能力，能动给你~~~ 能动英语的核心产品是指拥有自主知识产权、获得中、美两国专利的表音密码，以及在其基础之上研发出来的词义识记、九九句法的三大课程体系。表音密码就是26个英文字母在百万单词中的发音规律，也就是英文字母与声音之间的发音规则。长期以来，国内外英语语言学家一直在探索、寻找其规律而未得。能动英语首席设计师、美国弗吉尼亚大学教育学博士李如云耗时7年成功破译困扰英语语言学家上百年的“表音密码”，并获得中、美两国国家专利。词义识记、九九句法是表音密码的进阶课程。 地址：北京房山良乡北关西路18号（华冠购物中心向西100米）

lz，我只想说，我现在一做题，狂错，后天四级。我勒个去，怎么办。

作文模版四级的

丁丁

赞一个，四级靠你了！

怎样才能加快速度啊?我英语阅读部分每篇都15分钟，甚至更长

考听力的时候能先把选项写在试卷上，等全部听完再涂卡吗？还有听写能先潦草写在试卷上，再抄上去吗？

想要2014年6月 和2013年12月的真题听力 谢谢

楼主，我对过四级有信心，但我想考600+，后天就要考了，lz还有没有再让我冲的方法，么么哒楼主

四级听力前八个总是全错，所以打算蒙这8个，楼主，你觉得今年A、B、C、D哪个选项出现的几率多一点啊