|
|
|
|
|
Posted by on April 14, 2006, 2:16 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Introduction:
I'm working on a commercial product which was ported from
win32 to GNU/Linux. While doing so we have used TCP/IP
sockets instead of Named Pipes for IPC. By doing so
we've lost the big advantage of having DACLs set on the
named pipes that prevent unauthorized access to the
services.
Now I'm trying to recreate that with the tcp sockets version.
Because of the performance hit we can't use TLS which
checks client+server certificates for preventing MITM.
After evaluating the possibilities I've come to the conclusion
that SRP-6 could be a possible solution.
What I'm trying to find out is:
* is SRP-6 really MITM proof
* how do I prevent using SRP-Z mode which requires royalties
* are there any better implementations than Tom Wu's default
one which when fed to modern compilers like VC8 requires
too much massaging to be compilable and warning-free. I've
not even tried gcc-4.x yet.
* is it legal to use libsrp with the embedded 1996 copy of
getopt.[c,h] which says it is licensed
"GNU Library General Public License" under. actually I'm
not sure (I'll assume this is LGPL) this is legal as LGPL
defines linking against the lib only AFAIK
* what other options do I have to implement secure
authentication (secret not visible on wire) without encrypting
the channel
PS: I may cross-post this initial message in same/similar form
to other groups/lists to get broad feedback. sorry if this
list/group was not the right place to ask (I tried to select
the right lists/groups).
|
|
Posted by Scott W Gifford on April 14, 2006, 4:16 pm
If you were Registered and logged in, you could reply and use other advanced thread options
gmu2006@gmail.com writes:
> Introduction:
> I'm working on a commercial product which was ported from
> win32 to GNU/Linux. While doing so we have used TCP/IP
> sockets instead of Named Pipes for IPC. By doing so
> we've lost the big advantage of having DACLs set on the
> named pipes that prevent unauthorized access to the
> services.
If you use Unix domain sockets instead of TCP/IP, you can use standard
filesystem permissions to protect them.
Not sure about SRP6. :)
----Scott.
|
|
Posted by on April 14, 2006, 5:42 pm
If you were Registered and logged in, you could reply and use other advanced thread options
|
|
Posted by on April 14, 2006, 5:43 pm
If you were Registered and logged in, you could reply and use other advanced thread options
|
|
Posted by on April 14, 2006, 5:43 pm
If you were Registered and logged in, you could reply and use other advanced thread options
|
| Similar Threads | Posted | | SSL Server authentication, SSL client authentication, SSL connection and SSL session | August 14, 2006, 1:05 pm |
| WEP authentication, why WEP authentication scheme is flawed and how it can be attacked | August 1, 2006, 12:51 pm |
| IKE authentication | June 11, 2004, 8:50 am |
| P2P Authentication | October 25, 2005, 6:42 am |
| authentication | September 21, 2006, 5:45 pm |
| Sign On Authentication | August 15, 2005, 7:56 pm |
| RSA SecurID authentication details | July 16, 2004, 12:53 pm |
| AD authentication via Nortel 450 switch | December 21, 2004, 1:17 pm |
| Question about IKEv2 authentication | May 3, 2006, 4:46 pm |
| 802.1x machine authentication without directory | October 30, 2006, 4:15 pm |
|
|
|
XML site map