61 results about "Kerberos" patented technology

A system, method and computer program product for automatic response to computer system misuse using active response modules (ARMs). ARMs are tools that allow static intrusion detection system applications the ability to dynamically increase security levels by allowing real-time responses to detected instances of computer misuse. Several classes of ARMs exist which allow them to interface with several types of network elements found within a computing environment (e.g., firewalls, web servers, Kerberos severs, certificate authorities, etc.). The ARMs, once defined, are deployed in a "plug and play" manner into an existing intrusion detection system within a computing environment. A user (e.g., system administrator) may then configure the ARMs by linking them to specific computer misuses. Upon receipt of an instance of the computer misuse from the intrusion detection system, each ARM linked to the misuse collects pertinent data from the intrusion detection system and invokes a response specified by the ARM class and the collected pertinent data.

Branch domain controllers (DCs) contain read only replicas of the data in a normal domain DC. This includes information about the groups a user belongs to so it can be used to determine authorization information. Password information, however, is desirably replicated to the branch DCs only for users and services (including machines) designated for that particular branch. Moreover, all write operations are desirably handled by hub DCs, the primary domain controller (PDC), or other DCs trusted by the corporate office. Rapid authentication and authorization in branch offices is supported using Kerberos sub-realms in which each branch office operates as a virtual realm. The Kerberos protocol employs different key version numbers to distinguish between the virtual realms of the head and branch key distribution centers (KDCs). Accounts may be named krbtgt_<ID> where <ID> is carried in the kvno field of the ticket granting ticket (TGT) to indicate to the hub KDC which krbtgt′ key was used to encrypt the TGT.

A security provider is presented that integrates a Java based application server with Kerberos security protocol. The security provider includes a login module, a JMX MBean, an MBean definition file and a security provider java class. The JMX MBeans can contain various options that contain configuration information for the login module. The login module is responsible for authenticating the users by obtaining the user name and password, creating encryption keys, sending requests to the Kerberos key distribution center and receiving a ticket granting ticket encrypted with the user's password. The login module can then create an authenticated principal and add it to the subject associated with the user. The ticket granting ticket can also be added to the subject's private credentials. The security provider also supports the persistence of Kerberos credentials into a file based credentials cache.

The embodiment of the invention provides a distributed database cluster access method and an intermediate service layer. The method comprises the following steps: locally searching according to the cluster identifier of each target distributed database cluster to obtain a connecting thread corresponding to each target distributed database cluster, wherein each connecting thread is created based oneach configuration file for kerberos security authentication, each configuration file is acquired based on a local combined authentication file, and the combined authentication file is used for storing a one-to-one correspondence relationship between each cluster identifier and authentication configuration information; and realizing access of the target user to each target distributed database cluster based on the connection thread. According to the application, a user can access a plurality of distributed database clusters at the same time, so the cross-cluster access effectiveness and reliability of the user for the plurality of distributed database clusters at the same time can be improved while the cross-cluster access safety and timeliness of the user for the distributed database clusters are effectively improved.

The invention discloses a high-availability authentication method for a hadoop cluster kerberos. The high-availability authentication method comprises the following steps: deploying a plurality of kerberos servers in different Linux servers; calling the shell script at regular time by the Linux timer to synchronize and back up the data of the plurality of kernel servers; when the kernel authentication is started by the Hadoop, configuring all the kdc server addresses used in kdc parameter configuration of krb5. Conf; and in the hadoop cluster, adjusting the kerberos authentication priority sequence by adjusting the kdc parameter sequence by the node, so that the kernel server realizes multiple backups. When the hadoop performs kernel authentication, the adjustment can be performed according to the configuration of the authentication server, and in a large-scale cluster, the time delay caused by authentication can be reduced; and meanwhile, the load of a kernel server single server is reduced, and the stability of kernel authentication of the cluster is guaranteed.

The invention relates to a data security sharing system and method integrating a Kerberos authentication server and a block chain. The data security sharing system comprises a data providing terminal,a data demand terminal, an AS server, a TGS server, the block chain and a cloud storage platform. Wherein the data providing terminal is connected with the cloud storage platform and the block chain,the data demand terminal is connected with the cloud storage platform, the AS server and the TGS server, and the TGS server is connected with the block chain. According to the method, data privacy security and communication security are ensured by using symmetric encryption and asymmetric encryption algorithms, and multiple parties participate in authority management by using the decentralizationcharacteristic of the blockchain, so that the problem of data security access which cannot be provided by a traditional data sharing method can be solved. According to the method, the management right and the verification right of the data are separately realized, so that the burden of the blockchain network is reduced, the throughput is large, and the expandability and the robustness are relatively good.

A system and method for the detection and mitigation of Kerberos golden ticket, silver ticket, and related identity-based cyberattacks by passively monitoring and analyzing Kerberos and authentication operations within the network. The system and method provide real-time detections of identity attacks using time-series data and data pipelines, and by transforming the stateless Kerberos protocol into stateful protocol. A packet capturing agent is deployed on the network where captured time-series Kerberos and related event and log information is processed in distributed computational graph (DCG) stages where declarative rules determine if an attack is being carried out and what type of attack it is.

The invention discloses a Kerberos identity authentication protocol improvement method based on a national cryptographic algorithm, a traditional Kerberos protocol is improved by using session key dynamics and a hybrid cryptosystem based on the national cryptographic algorithm, and the improved Kerberos protocol comprises a registration process and an authentication process; wherein the authentication process comprises three stages: mutual authentication between the client and the AS; the client communicates with the TGS; the client communicates with the application server; a dynamic key is used as a shared key between the client and the AS, and encryption and decryption are carried out by adopting a hybrid cryptosystem based on a national cryptographic algorithm in an authentication process. According to the method, rainbow table attacks, blasting attacks and counterfeit user attacks caused by weak passwords can be effectively resisted, and replay attacks, man-in-the-middle attacks and the like caused by time synchronization can be effectively resisted, so that the security and the efficiency of a Kerberos identity authentication protocol are improved.

An ASP-based network manufacturing safety integrated system provides a complete set of network safety protection system to ensure the rights, the data confidentiality and the integrity of a legitimate user. To the multi-user access, the authentication of a user is realized by a system by using a single sign-on mode; the single password authentication, the one-time password authentication and the Kerberos protocol authentication are respectively adopted to carry out the ID authentication to the users of the different levels; a time-constrained access control module is adopted to protect the access rights of the legitimate user. The AHP level analysis method is adopted to calculate the distribution time of the conversation in the time constraint which affects a plurality of conversations. A safety administrator develops s different evaluating indicators according to the characteristics of the system, uses the AHP algorithm to obtain the weight coefficient of each conversation and carries out the time distribution according to the weight coefficient of the conversation which is obtained by the calculation. The algorithm avoids the situation of even distribution of each conversation time, which is in line with the practical needs.

The invention discloses a Kerberos security enhancement method based on Intel SGX. The method comprises the following steps: (1) security initialization of a Kerberos authentication system; (2) security execution of the authentication service of the KDC key distribution center. (3) secure storage of the key after the authentication service is ended. By introducing Intel SGX hardware and a trusted spatial mechanism of SGX, a safe KDC key distribution center master key storage and use environment in the Kerberos identity authentication system is constructed. The method comprises three modules: a key security initialization module; a key security operation module; and a secret key security storage module. The main key is a long-term key only held by the KDC and is used for encrypting authentication information, so that a secure execution environment is needed, the method can ensure the storage and operation security, and ensures that the bill information cannot be decrypted even if an attacker eavesdrops the information, thereby ensuring the transmission and verification security of the bill.

The invention relates to a cross-domain authentication method between Kerberos and PKI safety domains of an alliance chain, and belongs to the technical field of computer safety. The method comprises the steps of constructing a Kerberos and PKI inter-domain identity authentication model based on an alliance chain, performing primary cross-domain identity authentication from a Kerberos safety domain to a PKI safety domain, performing primary cross-domain identity authentication from the PKI safety domain to the Kerberos safety domain, and performing cross-domain re-identity authentication from the Kerberos safety domain to the PKI safety domain. According to the method, the block chain model is used as a basis, a consensus mechanism of an alliance chain is adopted, and the entity authentication method between the PKI domain and the Kerberos domain is provided, so that cross-domain authentication certificates can be reliably stored in different safety domains in a tamper-proof manner, and cross-domain identity authentication is realized while safety and reliability are ensured.

The invention provides an open type data processing system, an open type data system and a data processing method, and relates to the field of data processing. The open type data processing system comprises: an SSO platform used for carrying out legality verification on a user according to received input information of the user; an AD server which is used for detecting whether user identity information matched with the user exists in the AD server or not under the condition that the SSO platform verifies the legality of the user successfully; a data cluster server which is used for using a Kerberos protocol to carry out identity authentication on a user when the AD server has the user identity information matched with the user; determining the access permission of the user if the user passes the identity authentication, outputting target data requested by the user, and/or, determining the operation permission of the user, executing a target task requested by the user, the target data being matched with the access permission of the user, and the target task being matched with the operation permission of the user. By means of the technical scheme, the safety of the open type data processing system can be improved.

The invention provides a spark task submitting method, a spark task submitting device and a server. The method comprises the following steps: responding to the creation completion operation of the spark task, if the kerberos authority authentication based on the super user is passed, generating a spark-submit command containing task parameters of the spark task, and assigning an agent user name ofthe spark-sub command as a user name corresponding to a creator of a project where the spark task is located; and submitting a spark task through the spark-submit command. According to the method, kerberos permission authentication is automatically carried out while the spark task is submitted, so that the authentication efficiency is improved; the proxy user name in the spark-submit is assignedas the user name corresponding to the creator, so that the creator and the submitter of the spark task are ensured to be the same user, the user identity information is prevented from being used by other users, and the security of a big data system is ensured.

The invention discloses a Kerberos authentication system and method based on a physical unclonable function, and the system comprises equipment A, equipment B, and a key distribution center (KDC), wherein the key distribution center KDC comprises an authentication server (AS), a ticket granting server (TGS), and a database (DB). The method comprises the following steps: registering equipment A andequipment B in the KDC; the equipment A requests a ticket granting ticket (TGT) from the AS; the equipment A obtains the TGT; the equipment A requests a service granting ticket from the TGS; the equipment A obtains a service granting ticket (SGT); and the equipment A requests a communication service from the equipment B. According to the method, key leakage caused by physical attacks such as invasion, semi-invasion and side channel attacks of attackers can be prevented, meanwhile, the problems of high public key calculation complexity, low speed and excessive communication bandwidth occupation are solved, and the method is suitable for resource-limited network application.

The invention relates to a machine-fixed multi-node integrated authorization management method. The method comprises the following steps: (a) networking a fixed information service center and a plurality of maneuvering edge information service nodes; (b) performing identity authentication between the fixed information service center and the plurality of maneuvering edge information service nodes based on an identity authentication model improved by a Kerberos protocol; and (c) performing cross-node data transmission between the fixed information service center or/and the plurality of maneuvering edge information service nodes. Identity authentication between the fixed information service center and the plurality of maneuvering edge information service nodes is carried out by adopting an improved identity authentication model based on a Kerberos protocol so as to be used for cross-node data transmission, so that the security of identity authentication authorization is greatly improved.

The invention discloses a data processing method and device and electronic equipment, and the method comprises the steps: determining a target file storage system corresponding to a task identifier and a kerberos authentication state of the target file storage system according to the task identifier carried in a to-be-processed task; when the Kerberos authentication state is that authentication is passed, creating a target connection pool corresponding to a target file storage system, and creating at least one data thread in the target connection pool; and obtaining target data corresponding to the to-be-processed task from the target file storage system based on each data thread. The problem of low efficiency in the data transmission process is solved, and the effect of greatly reducing the consumption performance in the data transmission is achieved.

The invention discloses a multi-lease user method for an industrial production data real-time processing platform system, and the method comprises the steps: 1, unifying an identity authentication service; 2, enabling the multi-lease user to create mapping with the system user; 3, performing Zeppelin login authentication module modification; 4, automatically authenticating the task; managing the user by using a unified identity authentication service and controlling the resource range of the account; creating a plurality of user accounts, enabling each user account to correspond to one group,and controlling the authority through a user file system and a distributed file system; changing the Zeppelin login authentication module to call a unified identity authentication service; and submitting the task to a cluster to realize Kerberos automatic authentication. Unified identity authentication service is adopted, multi-lease user isolation is achieved, cluster data safety is guaranteed, seamless connection between an industrial production data real-time processing platform system and a big data system platform is achieved, and user login authentication and platform service authentication authorization are completed.

The invention relates to a cross-domain authentication method between Kerberos and IBC security domains based on an alliance chain, and the method comprises the steps: firstly authenticating the identity information of a target domain entity through a protocol when an entity node in a security domain initiates a cross-domain authentication request, then enabling the identity information of the entity to generate a cross-domain certificate, and storing the cross-domain certificate on a block chain; the authentication information cannot be tampered on the block chain and is confirmed by a plurality of cross-domain nodes according to a consensus protocol, so that decentralization of entity authentication information storage is realized; when an entity node in a security domain requests to authenticate an entity node which has been subjected to cross-domain authentication, in order to improve authentication efficiency, a cross-domain certificate can be directly sent to a target entity node, and the target entity node can complete re-authentication service of an entity identity after the validity of the target entity node is verified by a block chain. The technical problems that a cross-domain authentication centralization model between the Kerberos and the IBC is complex, authentication information management is difficult and the like are solved.

The invention provides a data analysis method used in a Kerberos encryption environment, and relates to the field of Kerberos encryption and decryption. A data analysis method used in a Kerberos encryption environment comprises the following specific steps: a Kerberos server registers an account for an application client and creates a client password, and the Kerberos server registers an account for the application server and creates a server password; the Kerberos server generates a key file according to the client password and the server password and sends the key file to the decryption device; the application client generates a communication key; the Kerberos server generates an authentication key, and encrypts the authentication key through a client password to generate a first bill. According to the invention, the problem that the communication content between the client and the server cannot be supervised in a Kerberos authentication environment is solved.

The invention relates to the field of computing, and particularly provides an implementation method of dynamic connection of Flink and Kerberos authentication components, which comprises the following steps of: S1, preparing an Flink cluster and a plurality of sets of different Kerberos authentication components; S2, mounting NFS shared storage; S3, dynamically integrating Kerberos authentication files by a Kerberos management center, and storing the Kerberos authentication files in a shared storage directory; S4, changing the flink-conf.yaml configuration file of the Flink cluster; S5, in a Job related code of the Flink, refreshing Krb5.conf related configuration in real time; and S6, operating the Job of the Flink so that the Flink cluster is successfully connected with the plurality of sets of Kerberos authentication components. Compared with the prior art, the method has the advantages that the problems that conflicts occur when Flink is connected with a plurality of different Kerberos authentication components, a cluster needs to be restarted when the Kerberos authentication components are changed and the like are solved.

The invention provides a method for realizing database login authentication based on a Kerberos mechanism, which comprises a preparation authentication stage and a dynamic authentication stage, in the preparation authentication stage, a plug-in is called, a relation between Kerberos and a database is established, and in the dynamic authentication stage, a client sends a user name to a server; the server side analyzes the user name information and determines whether the user name information is a Kerberos authentication mode, and if the user name information is a Kerberos authentication mode, marking is carried out and related authentication data is sent to the client side; the client receives the authentication data and performs client identity authentication; after the verification is passed, the client sends authentication subject information of the server to the KDC, and the KDC performs identity legal information authentication on the client and the server; the client side obtains the authorized bill certificates cred through the bill authorization service and sends the authorized bill certificates cred to the server side; and the server side decrypts the cred to obtain the client side information, the client side information is compared with the client side authentication identifier, if the client side information is the same as the client side authentication identifier, login succeeds, the possibility of login password leakage is completely eradicated through kerberos authentication, and the legality of a data requester and the legality of a data supplier are guaranteed.

The invention relates to a method for simultaneously supporting multiple Kerberos authentication in a single JVM process, which comprises the following steps of: executing the following operations onmultiple Hadoop clusters using the Kerberos authentication one by one; 2.1, selecting a Hadoop cluster; 2.2, setting an environment variable and a parameter of Kerberos authentication; 2.3, initiatinga Kerberos authentication request is initiated, and generating and returning a bill; and 2.4, selecting a next Hadoop cluster, and repeating the steps 2.2 and 2.3 until the plurality of Hadoop clusters execute the Kerberos authentication operation. According to the invention, in one JVM process (single JVM process), more than two kinds of Kerberos authentication can be used (supported) at the same time, so that software services in a plurality of Kerberos domains can be accessed at the same time in the single JVM process, data interaction of more than two software services with Kerberos authentication started is realized, and efficient and convenient Kerberos authentication is provided.

The invention provides an access method and device for multiple Hadoop clusters and computer equipment, and the method comprises the steps: obtaining a krb5. Conf file corresponding to the kerberos authentication under the condition of determining that each Hadoop cluster has started the kerberos authentication and the KDC of each Hadoop cluster is different; carrying out merging processing on the plurality of krb5. Conf files; the method comprises the following steps of: determining a host name of each YARN ResourceManger component and a host name of each HDFS (Hadoop Distributed File System) NameNode component, and determining a domain Realm corresponding to kerberos authentication; determining a plurality of mappings between the hostname and the Realm, and setting the mappings between the hostname and the Realm in a domain real column; the method comprises the following steps of: judging whether a UserGroup Information object exists in a local cache or not; and if the UserGroup Information object exists in the local cache, the UserGroup Information object is obtained, and the plurality of Hadoop clusters are accessed to the UserGroup Information object. Therefore, one client can simultaneously access a plurality of Hadoop clusters which open the Kerberos and have different KDCs, and the access efficiency can be improved.