翻訳と辞書
Words near each other
・ Kerbdog
・ Kerbdog (album)
・ Kerbel
・ Kerbela (moth)
・ Kerbela monotona
・ Kerbela turcomanica
・ Kerbelec Formation
・ Kerben
・ Kerben Airport
・ Kerben, Germany
・ Kerben, Kyrgyzstan
・ Kerber
・ Kerber (surname)
・ Kerber discography
・ Kerbera
Kerberized Internet Negotiation of Keys
・ Kerberized Post Office Protocol
・ Kerberos
・ Kerberos & Tachiguishi
・ Kerberos (moon)
・ Kerberos (protocol)
・ Kerberos Panzer Cop
・ Kerberos Panzer Jäger
・ Kerberos Productions
・ Kerberos saga
・ Kerberos Saga Rainy Dogs
・ Kerberosaurus
・ Kerbi Rodríguez
・ Kerbie Zamora
・ Kerbisher & Malt


Dictionary Lists
翻訳と辞書 辞書検索 [ 開発暫定版 ]
スポンサード リンク

Kerberized Internet Negotiation of Keys : ウィキペディア英語版
Kerberized Internet Negotiation of Keys
Kerberized Internet Negotiation of Keys (KINK) is a protocol defined in RFC 4430 used to set up an IPsec security association (SA), similar to Internet Key Exchange (IKE), utilizing the Kerberos protocol to allow trusted third parties to handle authentication of peers and management of security policies in a centralized fashion.
Its motivation is given in RFC 3129 as an alternative to IKE, in which peers must each use X.509 certificates for authentication, use Diffie-Hellman key exchange (DH) for encryption, know and implement a security policy for every peer with which it will connect, with authentication of the X.509 certificates either pre-arranged or using DNS, preferably with DNSSEC. Utilizing Kerberos, KINK peers must only mutually authenticate with the appropriate Authentication Server (AS), with a Key Distribution Center (KDC) in turn controlling distribution of keying material for encryption and therefore controlling the IPsec security policy.
== Protocol description ==

KINK is a command/response protocol that can create, delete, and maintain IPsec SAs. Each command or response contains a common header along with a set of type-length-value payloads. The type of a command or a response constrains the payloads sent in the messages of the exchange.
KINK itself is a stateless protocol in that each command or response does not require storage of hard state for KINK. This is in contrast to IKE, which uses Main Mode to first establish an Internet Security Association and Key Management Protocol (ISAKMP) SA followed by subsequent Quick Mode exchanges.
KINK uses Kerberos mechanisms to provide mutual authentication and replay protection. For establishing SAs, KINK provides confidentiality for the payloads that follow the Kerberos AP-REQ payload. The design of KINK mitigates denial of service attacks by requiring authenticated exchanges before the use of any public key operations and the installation of any state. KINK also provides a means of using Kerberos User-to-User mechanisms when there is not a key shared between the server and the KDC. This is typically, but not limited to, the case with IPsec peers using PKINIT for initial authentication.
KINK directly reuses Quick Mode payloads defined in section 5.5 of IKE, with some minor changes and omissions. In most cases, KINK exchanges are a single command and its response. An optional third message is required when creating SAs, only if the responder rejects the first proposal from the initiator or wants to contribute the keying materials. KINK also provides rekeying and Dead Peer Detection.

抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)
ウィキペディアで「Kerberized Internet Negotiation of Keys」の詳細全文を読む



スポンサード リンク
翻訳と辞書 : 翻訳のためのインターネットリソース

Copyright(C) kotoba.ne.jp 1997-2016. All Rights Reserved.