geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "hbaxmann" <hol...@bitwind.org>
Subject AW: AW: Security configuration
Date Wed, 02 Jun 2004 06:27:19 GMT
Dear Edward,

I apologize if i sound injuring or like a jackanapes. I could not bite my
tongue, because at least it is not mine. I have a german native one and here
I _try_ to write english. There are shortcomings.

As I stated in a precondition: in a theoretical manner, SRP is a pretty good
thing. 

First attacks against security are attacks against the policies, on social
level - nothing todo with technical aspects. Passwords in general are in a
not this technical view useless. This is proven. They fake a kind of
we-finished-because-we-have-strong-passwords mentality. This _mentality_ is
the first point of attack and insensitivity of policies. This is clearly not
addressed by SRP. It is as good as the policies are. Ask your grandma and
give her an RSA key ;-)

I am reading and writing here to make a better product as whole, in his
surrounding context, not to injuring someone or surfing the philosophical
flame war wave. Or to build jboss again.

IMHO are controverse ideas the first step toward new ones.

And yes, I am wrong in the technical aspects of SRP - if I do not leave the
inertial system of passwords. There SRP is beside the one-time password
policy the best and strongest mechanism. But a mechanism only.

sorry again

bax

> -----Urspr√ľngliche Nachricht-----
> Von: Edward Flick [mailto:directrix1@yahoo.com] 
> Gesendet: Dienstag, 1. Juni 2004 23:19
> An: dev@geronimo.apache.org
> Betreff: Re: AW: Security configuration
> 
> 
> --- hbaxmann <holger@bitwind.org> wrote:
> > > > > > is not particularly secure and I would
> > prefer to have a
> > > > more robust
> > > > > > solution (say with encrypted passwords ;-) )
> > but it
> > > works for now.
> > > > > >
> > > > > 
> > > > > <sarcasm>
> > > > > Why not via SRP ?
> > > > > </sarcasm>
> > > > > 
> > > > > sorry, could not resist
> > > > 
> > > > Interesting, how would this fit into Geronimo to
> > provide the
> > > > general JAAS login mechanisms to obtain
> > subjects?
> > > > 
> > > 
> > > You are asking seriously?
> > > 
> > > http://srp.stanford.edu/
> > > 
> > > Then in all aspects. There are many LoginMudules
> > avail with SRP.
> > >  
> > > But, unfortunately it is useless.
> Strong words there.  Bite your tongue.
> 
> >  Because secure passwords
> > > does simply not
> > > exist:
> > > 
> > >
> >
> http://fiatlux.zeitform.info/en/instructions/passwords.html
> > > 
> > > Theoretically and in a academic point of view, and
> > only
> > > there: it provides
> > > security to a secure token (the password) on the
> > wire - but
> > > nowhere else.
> Wrong, it hashes the password on the server side, but
> granted given failed physical security a dictionary
> attack could potentially get at it.  But this is true
> for any authentication mechanism I know of.
> 
> > > Nobody, nobody will try to exploit your delivery
> > of PASSWORDS
> > > on the wire.
> 
> Just from personal experience, I can tell you that
> what you say is false.  You are assuming things
> outside of your domain of knowledge, and then trying
> to convince others of your viewpoint.  Stop it.  You
> are causing harm.
> If a potential hacker has access to your network, or
> is an employee or something, running a packet sniffer
> can be trivial.  If a tool is available to crack
> passwords using certain protocols it becomes even more
> trivial, to hack your box.
> Allowing security, such as challenge and response or
> something similar, just because passwords are
> inherently weak anyways is a very bad idea.  Either
> seal up any holes you can, or just send out invites to
> hack your new weakly authenticated server.
> Also, although SRP is not a 3-party authentication
> system, it can still be centrally managed and
> distributed, with a little bit of common sense.  And
> it does not suffer from the weaknesses (talking line
> level again here) of the 3 party kerberos.
> Furthermore, using SRP doesn't just authenticate the
> user it:
> * ensures you are connecting to the intended party
> (authentication cannot succeed if trying to
> authenticate against the wrong machine)
> * prevents man-in-the-middle attacks
> * prevents offline dictionary attacks
> * provides a shared secret as a byproduct of
> successful authentication which can be used to
> symmetrically encrypt further communications.
> 
> > > You need five points to do not make the
> > non-existing security 
> > > of passwords
> > > not more worth:
> > > 
> > > Don't tell anyone your password. 
> > > Don't write your password down anywhere. 
> > > When you decide on a password, make sure it can't
> > be guessed. 
> > > If you think there's even a chance someone else
> > might know 
> > > your password,
> > > change it. 
> > > Make sure no one is standing near you when you
> > enter your password 
> > > In the point of real security: passwords do not
> > have a 
> > > security aspect.
> Every little bit helps, good tips but having secure
> transmission of passwords is a very good idea too. 
> Your points are just policy.
> 
> > > 
> > > These points depends all on exclusively on human
> > interaction. 
> > > The algorithm
> > > has zero chance.
> Why don't you try investigating SRP a little better. 
> Sure you can still do a dictionary attack over the
> network, but it is orders of magnitudes slower, and
> there are methods of throttling auth attempts so that
> it could be pretty much pointless to try.
> 
> > > 
> > > So the SRP implementations are a marcetecture
> > thingy, more 
> > > worse because
> > > they are a feint of security.
> Given proper selection of user names and passwords,
> SRP would be very nice to use, indeed.  Its just
> another component of a properly secured system.  Oh
> yeah, and jBoss apparently thinks SRP is a good idea
> too, as they have a SRPLoginModule.
> I just don't quite understand your reasoning behind
> discouraging this.  Also, you can't exactly use your
> articles as a point of reference as they just talk
> about policy also.
> 
> Edward Flick
> 
> 
> 
> 	
> 		
> __________________________________
> Do you Yahoo!?
> Friends.  Fun.  Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/ 
> 


Mime
View raw message