[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Granularity of authentication in swIPe

To: ipsec@ans.net
Subject: Re: Granularity of authentication in swIPe
From: "Perry E. Metzger" <perry@imsi.com>
Date: Tue, 14 Jun 1994 18:23:54 -0400
In-Reply-To: Your message of "Tue, 14 Jun 1994 17:29:02 EDT." <9406142129.AA04218@tis.com>
Reply-To: perry@imsi.com


Marcus J Ranum says:
> 	swIPe isn't going to be able to solve the problem of
> distributing trust between networks -- in other words, if host "alice"
> has yet another sendmail hole that lets anyone on "alice" become
> root, then you can't really trust that "mjr@alice" is in fact "mjr" --
> it could be anyone. One might attempt to address this by pushing one's
> authentication up into the application layer, and doing encrypted
> application-to-application communication (something I think there
> is a place for) which would possibly be more resistant to spoofing
> userids -- but the problem remains that someone who is smart/motivated
> enough to swipe a live TCP connection is also smart/motivated enough
> to steal a connected tty/pty session.

Marcus' point is sufficiently important that I feel that I must
re-emphasize it. Nothing is perfectly secure. Things are only
reasonably secure with respect to a given threat model. If one's
threat model includes "the enemy has root on both the local and remote
host" nothing will help you, period.

The purpose of swIPe is to give you the capacity to allow trusted
hosts to communicate over untrusted internets. Given untrusted hosts,
you lose. Now, its possible to rig things to make sure that given a
partially trusted host a user can authenticate himself -- this is the
kerberos model, and kerberos style authentication systems will
doubtless be layered on top of swIPe. (Someone at Usenix was in fact
proposing to use kerberos itself, btw.) However, such authentication
systems can never be perfect. If the bad guy owns the kernel on the
machine, all you will know is that the victim gave his secret
information to the machine at some point -- not whether you are
actually talking to them or not.

> 	All that being said, I think there are very good uses to
> which tools like swIPe can be put. First and foremost, we need
> something we can experiment with, to see how some of the problems
> I've described above actually *work* in real life. After all, if
> we sit back and try to design the perfect be-all-end-all system,
> we might overlook something we'd have discovered if we had a
> chance to actually experiment with (and improve on) things like
> swIPe. That is, unless I'm mistaken, The Internet Way.

I couldn't have said it better myself.

Perry

References:

Re: Granularity of authentication in swIPe

From: Marcus J Ranum <mjr@tis.com>

Prev by Date: Re: Granularity of authentication in swIPe
Next by Date: Re: Granularity of authentication in swIPe
Prev by thread: Re: Granularity of authentication in swIPe
Next by thread: Re: Granularity of authentication in swIPe
Index(es):
- Main
- Thread