身份验证:Kerberos或SSL? [英] Authentication: Kerberos or SSL?
问题描述
有关将使用在客户端的Swing盒和实施Web和服务器层组件的Java EE应用程序我在pre-设计阶段(如果有这样的事!)
I'm in the "pre-design" phase (if there is such a thing!) for a Java EE app that will use a Swing box on the client end and implement components for both web and server tiers.
我立刻美元,一些技术选择psented p $以及如何Kerberos和SSL工作之间的分歧已经阅读起来。我一直没能找到任何答案,一个区域一直是主题的如何选择的Kerberos或SSL之间。换句话说,你怎么知道当它是适合使用任一协议?
I'm instantly presented with some technology choices and have been reading up on the differences between how Kerberos and SSL work. One area that I have not been able to find any answers to has been the subject of how to choose between Kerberos or SSL. In other words, how do you tell when it is appropriate to use either protocol?
让我们假定Swing客户端不被特定的传输(UDP,TCP或其他)结合并可以使用任一/所有。一个人如何选择之间这两个是为他们的应用程序更好的匹配?
Let's assume that the Swing client isn't bound by a particular transport (UDP, TCP or otherwise) and could use either/any. How does one choose between which of these two is a better match for their application?
谢谢!
推荐答案
比较Kerberos和SSL / TLS是没有意义的。
Comparing Kerberos and SSL/TLS doesn't make sense.
- Kerberos是一种身份验证协议。
- TLS是确保双方之间的沟通,这依赖于身份验证和加密机制的协议。它们是如何工作取决于所选择的加密套件。虽然TLS(如HTTPS)的大多数应用使用X.509证书,在这种情况下,你很可能会使用PKI为对方的认证,的也可以用nofollow的> Kerberos的密码套件。很少TLS协议栈支持这些Kerberos的密码套件,据我所知(的 Java那样)。
- Kerberos is an authentication protocol.
- TLS is a protocol for securing the communication between two parties, which relies on mechanisms for authentication and encryption. How they work depend on the chosen cipher suite. Although most usages of TLS (e.g. HTTPS) use X.509 certificates, in which case you're likely to use a PKI for the authentication of the remote party, Kerberos cipher suites can also be used. Few TLS stacks support these Kerberos cipher suites as far as I'm aware (Java does).
它不必须是一种或另一种。例如,即使你使用SPNEGO(Kerberos的)HTTP验证,它往往是有道理的,以确保使用TLS传输(通常在服务器端的X.509证书,通过PKI验证)。如果不是,则在HTTP头交换SPNEGO标记保证认证,但在HTTP消息的其余部分可能已被攻击者修改
It doesn't have to be one or the other. For example, even if you're using SPNEGO (Kerberos) HTTP authentication, it often makes sense to secure the transport using TLS (often with an X.509 certificate on the server side, verified via a PKI). If not, the SPNEGO tokens exchanged in the HTTP headers guarantee the authentication, but the rest of the HTTP messages could have been modified by an attacker.
这篇关于身份验证:Kerberos或SSL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!