Re: application layer cross checking

[Michael Thomas <mat@cisco.com>]

Ramin Alidousti writes:
 > Take ssh for instance. It guarantees the secure communication
 > channel. It also passes the userid/username to the other end.
 > But it does not mean that the sshd on the other end says:
 > "Oh, Mr XYZ, I believe who you are and the doors are wide
 > open. Please do come in".

   Not at all. As with Kerberos, if you pass the credentials
   to the other side and key those packets under that session
   key, it doesn't matter whether you send your username...
   Unless the application stupidly believes that username
   when cryptographically proveable credentials were available.

 > As I said before, even if the OS passes the user information,
 > the other end NEEDS to challenge that id. 

   Challenge it in what way? If it's been cryptographically
   been challenged at the IPsec layer, all I need to do
   is do a strcmp to see if it matches the credentials it's
   using at the application layer. That assumes a 1:1 
   mapping, but that's likely to be just fine for many
   applications.

 >  Application level
 > authentication is not the same as AH/ESP authentication
 > (as it stands).

   It's not necessarily the same, but it may be the same.
   When it is, it relieves the application of having to
   deal with identity -- which just about nothing gets
   right. Also: I don't think this is any more of a layer violation
   as passing up the IP address, etc, in recvfrom().

      Mike

---

Follow-Ups:

• Re: application layer cross checking
• From: Ramin Alidousti <ramin@uu.net>

References:

• application layer cross checking
• From: Michael Thomas <mat@cisco.com>
• Re: application layer cross checking
• From: Ramin Alidousti <ramin@uu.net>

---

• Prev by Date: Re: application layer cross checking
• Next by Date: Re: application layer cross checking
• Prev by thread: Re: application layer cross checking
• Next by thread: Re: application layer cross checking
• Index(es):
  • Main
  • Thread