Coda File System

Re: server authenticity

From: Jan Harkes <jaharkes_at_cs.cmu.edu>
Date: Mon, 5 Aug 2002 13:40:18 -0400
On Sat, Aug 03, 2002 at 12:34:50PM +0200, Ivan Popov wrote:
> With authenticated access it is possible (unsure how much of it is
> really done?) to check that the fileserver is who it pretends to be, as
> authserver could prove that it knows the user password.

The authserver has to prove it knows the user password. The basic
handshake is as follows.

 clog sends the user-id.
 auth2 sends back a random session key scrambled with the know user password.
 clog uses the password the user typed to unscramble the session key.
 clog and auth2 then use this session key for the rest of the
 communication.
 - if the password was wrong, or the auth2 server spoofed, the session
   key on both ends is incorrect and the rest of the communication fails.
 - this handshake is a modified needham-schroeder handshake which should
   be able to resist both man in the middle and replay attacks.

 auth2 then hands the user a token which is scrambled with the auth2.tk
 key, and a cleartext secret key (which should be hidden by the secure
 rpc2 connection).
 The client cannot do anything with this except pass it on the the
 server when setting up the rpc2 connections.
 The server has access to the same auth2.tk and can thus unscramble the
 contents of the token, get both the user identity, token lifetime and
 the secret key.
 This secret key is then used the same way as the original password to
 obtain the actuall session key for the secure rpc2 connection.
 - If the server was spoofed, it can't get the secret key. An snooped
   secret token cannot be used by another client to set up a secure
   connection, etc.

So basically, except for the fact that we use XOR scrambling (ouch) the
whole client-server key exchange should be pretty robust and safe.

> For anonymous access a client should know something about a server except
> its ip number.

Correct, there is no way to validate the identity of the server when
connecting without a token. What would be nice if there was a way to
'clog' as an anonymous user to get the proof that a server is not
spoofed. But then the auth2 server has to know a 'shared secret' for
unknown users to build the initial secure RPC2 connection. Because clog
is not used that often, the more expensive public/private key exchange
could work.

> It becomes hard while serving clients that I cannot maintain
> accounts/shared secrets for. Nevertheless they need to know that my server
> is not spoofed!

Well, in a way we currently rely on replies from the DNS servers to
locate a realm. So we should at some point use DNSSEC, and then we can
distribute public keys as well as location service.

Jan
Received on 2002-08-05 13:47:16