public string CreateKerbAsResp(string uid, out TGTicket tgticket) { User user = LoginService.GetUser(uid); TGTicket tgTicket = new TGTicket(user.UserCode); string key1 = KeyType.Session_Key_1; //Client与TGS的会话密钥 string iv = KeyType.Iv; //或者直接写成 "********" //StringBuilder strBuilder = new StringBuilder(); //strBuilder.Append(tgTicket.Uid); //strBuilder.Append("|"); //strBuilder.Append(tgTicket.TS2); //strBuilder.Append("|"); //strBuilder.Append(tgTicket.LifeTime2); string strBuilder1 = string.Concat(tgTicket.Uid, "|", Convert.ToString(tgTicket.TS2)); string strBuilder = string.Concat(strBuilder1, "|", Convert.ToString(tgTicket.LifeTime2)); //string[] strArray = encryptTicket.Split('|'); // 解密之后应有的操作 //string test = desCryp.GenerateDesCryProvider(ref key1, ref iv); // 测试会话key的数据 string encrypttgTicket = desCryp.Encrypt(strBuilder, KeyType.AS_TGS_Key, KeyType.Iv); //TGTicket票据的加密 // 主要是确保随机密钥的安全性:下面就是数字签名的流程 key1 = desCryp.GenerateDesCryProvider(ref key1, ref iv); //string key1text = rsaCrpt.RSAEncrypt(HttpUtility.HtmlDecode(publicKey), key1); string hashData = ""; rsaCrpt.GetHash(key1, ref hashData); string rsasign = ""; //key1text的数字签名 rsaCrpt.SignatureFormatter(HttpUtility.HtmlDecode(privateKey), hashData, ref rsasign); string kerbAsResp = desCryp.Encrypt(string.Concat(string.Concat(encrypttgTicket, "|", key1), "|", user.UserCode), KeyType.AS_Client_Key, KeyType.Iv); kerbAsResp = string.Concat(kerbAsResp, ",", rsasign); //string kerbAsResp = desCryp.Encrypt(string.Concat(string.Concat(encrypttgTicket, "|", desCryp.GenerateDesCryProvider(ref key1, ref iv)), "|", user.UserCode), KeyType.AS_Client_Key, KeyType.Iv); // AS向Client发回的响应 tgticket = tgTicket; //tgticket = des.Encrypt(tgTicket,key1,iv); //tgticket不需要被加密处理 return kerbAsResp; //最终AS向Client发送的数据 }
public User UserValidate(KerbASRequest kerbAsReq, ref string errorInfo, out TGTicket tgticket, out string kerbAsResponse) { User user = LoginService.GetUser(kerbAsReq.UserName, kerbAsReq.UserPwd); if (user == null) { errorInfo = "输入的用户名和密码错误"; tgticket = null; kerbAsResponse = ""; return null; } else { //TGTicket tgTicket = new TGTicket(user.UserCode); //string key1 = KeyType.Session_Key_1; //Client与TGS的会话密钥 //string iv = KeyType.Iv; // Or "********" ////StringBuilder strBuilder = new StringBuilder(); ////strBuilder.Append(tgTicket.Uid); ////strBuilder.Append("|"); ////strBuilder.Append(tgTicket.TS2); ////strBuilder.Append("|"); ////strBuilder.Append(tgTicket.LifeTime2); //string strBuilder1 = string.Concat(tgTicket.Uid, "|", Convert.ToString(tgTicket.TS2)); //string strBuilder = string.Concat(strBuilder1, "|", Convert.ToString(tgTicket.LifeTime2)); ////string[] strArray = encryptTicket.Split('|'); 解密之后应有的操作 //string encrypttgTicket = desCryp.Encrypt(strBuilder, KeyType.AS_TGS_Key, KeyType.Iv); //TGTicket票据的加密 //string kerbAsResp = desCryp.Encrypt(string.Concat(string.Concat(encrypttgTicket, "|", desCryp.GenerateDesCryProvider(ref key1, ref iv)),"|",user.UserCode), KeyType.AS_Client_Key, KeyType.Iv); // AS向Client发回的响应 ////tgticket = des.Encrypt(tgTicket,key1,iv); //tgticket = tgTicket; //kerbAsResponse = kerbAsResp; //最终AS向Client发送的数据 TGTicket tgTicket; kerbAsResponse = CreateKerbAsResp(user.UserCode, out tgTicket); tgticket = tgTicket; return user; } }
/* * * TGT解密的过程不是在:Client端被解密,而是在TGSServer端被解密 * * TGS服务器处理KerbTGSRequest请求,并判断TGTicket是否有效; * 有效的话,则直接产生STicket * **/ public void HandleTgsReq(KerbTGSRequest kerbTgsRequest, out bool tgsvalid, out string kerbTgsResponse) { // out型参数可以不被初始化 string session_key_1 = kerbTgsRequest.session_key_1; string encryptUid = kerbTgsRequest.encryptUid; //TGTicket tgticket = kerbTgsRequest.tgticket; string encrptTgsTicket = kerbTgsRequest.encyptgsTicket; string tgticket = desCrypt.Decrypt(encrptTgsTicket, KeyType.AS_TGS_Key, KeyType.Iv); string[] ticketArray = tgticket.Split('|'); string uid = ticketArray[0]; DateTime ts2 = Convert.ToDateTime(ticketArray[1]); double lifetime2 = Convert.ToDouble(ticketArray[2]); TGTicket tgtTicket = new TGTicket(uid, ts2, lifetime2); string validUid = desCrypt.Decrypt(encryptUid, session_key_1, KeyType.Iv); string errorInfo = string.Empty; if ((!validUid.Equals(uid)) || (string.IsNullOrEmpty(validUid))) { errorInfo = "TGS票据被修改,uid的值已经被改变"; tgsvalid = false; kerbTgsResponse = ""; HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse); } else if (IsTGTExpired(tgtTicket)) { errorInfo = "TGS票据过期"; tgsvalid = false; kerbTgsResponse = ""; HandleTgsReq(kerbTgsRequest, out tgsvalid, out kerbTgsResponse); //重新获取tgsResp请求 } else { // 下面就是TGS服务器向Client发送的 uid与STicket中的uid是一样的 STicket sticket = new STicket(uid); string key1 = KeyType.Client_AP_Key; //Client与AP应用服务之间的会话密钥 string iv = KeyType.Iv; // Or "********" string strBuilder1 = string.Concat(sticket.STIdentity, "|", Convert.ToString(sticket.TS4)); string strBuilder2 = string.Concat(strBuilder1, "|", Convert.ToString(sticket.LifeTime4)); string strBuilder3 = string.Concat(strBuilder2, "|", uid); string strBuilder = string.Concat(strBuilder3, "|", Convert.ToString(sticket.Adc1)); string encryptSticket = desCrypt.Encrypt(strBuilder, KeyType.TGS_AP_Key, KeyType.Iv); //加密过后的STicket // 下面实现一个时间戳验证 //DateTime ts4_1 = DateTime.Now; //string test = desCrypt.GenerateDesCryProvider(ref key1,ref iv); // 主要是确保随机密钥的安全性:下面就是数字签名的流程 key1 = desCrypt.GenerateDesCryProvider(ref key1, ref iv);//desCrypt.GenerateDesCryProvider(ref key1, ref iv); //string key1text = rsaCrpt.RSAEncrypt(HttpUtility.HtmlDecode(publicKey), key1); string hashData = ""; rsaCrpt.GetHash(key1, ref hashData); string rsasign = ""; //key1text的数字签名 rsaCrpt.SignatureFormatter(HttpUtility.HtmlDecode(privateKey), hashData, ref rsasign); string kerbTgsResp = string.Concat(string.Concat(encryptSticket, "|", key1), "|", uid); // AS向Client发回的响应 //kerbTgsResp = string.Concat(kerbTgsResp, ",", rsasign); tgsvalid = true; kerbTgsResponse = kerbTgsResp; } }
public bool IsTGTExpired(TGTicket tgticket) { DateTime now = DateTime.Now; TimeSpan span = (TimeSpan)(now - tgticket.TS2); if (span.TotalMinutes > tgticket.LifeTime2) { return true; // 票据过期 } return false; }
// Client处理TGT 登录过程 【有uid】 public Client(string uid) { this.Uid = uid; this.tgTicket = new TGTicket(uid); this.kerbAsResponse = asServer.CreateKerbAsResp(uid, out tgTicket); }