| 摘要 |
The application aims to solve the problem of the prior art Kerberos authentication protocol when a service to fulfill a clients request is not known in advance. Disclosed is a method, apparatus and computer program for secure user authentication in a network having a dynamic set of services Di..Dn. The method comprises a client C authenticating with an edge service S; and a client C generating a query key KQ. It further comprises the edge service S issuing a request to the dynamic set of services Di ..Dn the request comprising (i) an identifier associated with the client C, the identifier being encrypted with a query key KQ, (ii) a private portion Rpriv of the request being encrypted with a query key KQ and (iii) a public portion Rpub, of the request. One or more of said dynamic set of services Di..Dn, having ascertained from said public portion Rpub, of the request that it is able to respond to the request, responds to the edge service S with (i) an identifier Dx, associated with the one or more of said dynamic set of services Di..Dn and (ii) the identifier associated with the client C, this identifier being encrypted with the query key KQ. The edge service S authenticates with the one or more of said dynamic set of services Di..D„, that is able to respond to the request, including generating a session key KS,Dx and the edge service S sends the query key KQ to said one or more of said dynamic set of services Di..Dn encrypted using a session key KS,Dx. |
