(Illustration by Gaich Muramatsu)
Hi Tom, In a recent codalist message, you asked: > If I understand correctly, Coda security is currently completely (and securely) > implemented, except for the single quirk that only the RPC2_XOR encryption > method is available. Correct? Am I right to think that it's just a matter of > adding DES en-/decryption support to ...rpc2/rpc2-src/secure.c (and, possibly, > other methods along with new constants in ...rpc2/include/rpc2/rpc2.h), and > there will be support for proper security on the wire? It seems, though, that > Coda will not use it, as the RPC2_OPENKIMONO and RPC2_XOR values are explicitly > coded into the Coda source. Should changing these to RPC2_SECURE and RPC2_DES > (or some other encryption scheme) be expected to work? That will get you a long way, but not all the way. For one, the bulk transfer (SFTP) data is not encrypted so that code needs to be added. Also, the some kind of checksum on packets is needed to ensure integrity. These are the 3 "biggies". Beyond that point, there are many corner cases that need to be identified and addressed. For example, behavior of disconnected clients with expired tokens. The system currently incorporates a certain behavior. Whether this is "correct" behavior needs to be revisited. Similarly for cases such as multiple users at one client, etc. Also whether one should rely on Coda's own auth2 authentication server (very old, pre-Kerberos), or just completely replace with Kerberos or something else. I'm sure we'll stumble across plenty of other small things as well. Not all of these changes need to happen at once. The most critical are the 3 biggies above. These will require a wire protocol upgrade, so not upward compatible and will need to happen together to minimize disruption. That will get Coda much closer to a secure system, and then incremental improvements can be done to close the remaining vulnerabilities. Here is a message that I sent to codalist some years ago clarifying status of Coda security. A lot of it is still relevant: http://www.coda.cs.cmu.edu/maillists/codalist/codalist-1999/1941.html Some things mentioned in the message (like multiple Coda realms/cells) have happened. Others still need to be done. Both Peter Braam and Robert Watson who were working on security at that time have long left the Coda project. So no major effort has been put into security since roughly 1999. In the past year, many people (most notably Greg Troxel, Ivan Popov, Mark Phalan, and yourself) have focused attention again on Coda security. Perhaps it is time for a group effort to move this aspect of Coda forward? Jan cannot do it all (amazing as he is :-)). If enough people are interested and willing to contribute their time, we can work out the details of collaboration offline. Just drop Jan and me a note indicating your interest/willingness. For completeness, here is a paper on the AFS-2 security model, on which Coda security is based. Good background reading that gives much of the concepts and rationale for Coda security. Just change all occurences of "AFS" to "Coda" in the paper, and almost all of what it says still applies (a scary thought for a paper that is 15 years old!): "Integrating Security in a Large Distributed System" Satyanarayanan, M., ACM Transactions on Computer Systems, Vol 7, No. 3, August 1989 Cheers -- SatyaReceived on 2004-04-28 11:57:20