[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: application layer cross checking
Ramin Alidousti writes:
> Take ssh for instance. It guarantees the secure communication
> channel. It also passes the userid/username to the other end.
> But it does not mean that the sshd on the other end says:
> "Oh, Mr XYZ, I believe who you are and the doors are wide
> open. Please do come in".
Not at all. As with Kerberos, if you pass the credentials
to the other side and key those packets under that session
key, it doesn't matter whether you send your username...
Unless the application stupidly believes that username
when cryptographically proveable credentials were available.
> As I said before, even if the OS passes the user information,
> the other end NEEDS to challenge that id.
Challenge it in what way? If it's been cryptographically
been challenged at the IPsec layer, all I need to do
is do a strcmp to see if it matches the credentials it's
using at the application layer. That assumes a 1:1
mapping, but that's likely to be just fine for many
applications.
> Application level
> authentication is not the same as AH/ESP authentication
> (as it stands).
It's not necessarily the same, but it may be the same.
When it is, it relieves the application of having to
deal with identity -- which just about nothing gets
right. Also: I don't think this is any more of a layer violation
as passing up the IP address, etc, in recvfrom().
Mike
Follow-Ups:
References: