-
1. Re: Remoting 3 Security
dmlloyd Jul 5, 2007 12:56 PM (in response to dmlloyd)One other thing - from what I can see, the only way to allow a client to authenticate a server (or, to have two peers authenticate each other) with SASL is to have both an SASLClient and an SASLServer on both sides of the connection... this means that each chunk has to be processed twice. I'm not sure that SASL is appropriate for this application.
-
2. Re: Remoting 3 Security
anil.saldhana Jul 5, 2007 1:03 PM (in response to dmlloyd)1) SSL/TLS should be available on the transport as a choice and not default.
2) I am interested in encryption provided as an option when the ssl setup is not acceptable and/or user just needs to avoid man-in-the-middle attacks. An issue with encryption is symmetric key management. This is where SRP is interesting. One end does userid/pwd. The server does prime numbers. They interact and agree on a session key.
3) SRP can be done as a JCA provider for GSS. As far as I know, SASL does challenge/response. So SRP should fit in pretty easily. There is code already written by Scott (probably in the varia module) that can be adapted.
4) An interesting thing that I have noted (but not dealt into deeply) is when the client seeks a stub/proxy from the server, the server can send in SASL chunks to the client to avoid 1 round trip. This is the PUSH on the initial proxy seek. -
3. Re: Remoting 3 Security
dmlloyd Jul 5, 2007 1:13 PM (in response to dmlloyd)"anil.saldhana@jboss.com" wrote:
1) SSL/TLS should be available on the transport as a choice and not default.
Yes, this is what I intended to say."anil.saldhana@jboss.com" wrote:
2) I am interested in encryption provided as an option when the ssl setup is not acceptable and/or user just needs to avoid man-in-the-middle attacks. An issue with encryption is symmetric key management. This is where SRP is interesting. One end does userid/pwd. The server does prime numbers. They interact and agree on a session key.
3) SRP can be done as a JCA provider for GSS. As far as I know, SASL does challenge/response. So SRP should fit in pretty easily. There is code already written by Scott (probably in the varia module) that can be adapted.
OK, so an SASL marshaller would cover this. My understanding is clearer. Thanks for the feedback. -
4. Re: Remoting 3 Security
anil.saldhana Jul 5, 2007 1:21 PM (in response to dmlloyd)Cool. An additional note that I just want to place here for archival purpose is that this discussion has been around securing the transport layer only and use of SASL for that.
For JBoss Security in general, SASL can be between the client security interceptors and the server security interceptors.
http://jira.jboss.com/jira/browse/SECURITY-46
So these two areas are separate. -
5. Re: Remoting 3 Security
anil.saldhana Jul 6, 2007 10:56 AM (in response to dmlloyd)I may get to the JSR-196 implementation next month. We should certainly use JSR-196 to externalize authentication modules at either end of the transport. I will get back to you on this once I finish the implementation.