summaryrefslogtreecommitdiffstats
path: root/lib/librpc/secure_rpc/doc
diff options
context:
space:
mode:
Diffstat (limited to 'lib/librpc/secure_rpc/doc')
-rw-r--r--lib/librpc/secure_rpc/doc/Makefile40
-rw-r--r--lib/librpc/secure_rpc/doc/nfs.secure.ms934
2 files changed, 974 insertions, 0 deletions
diff --git a/lib/librpc/secure_rpc/doc/Makefile b/lib/librpc/secure_rpc/doc/Makefile
new file mode 100644
index 0000000..3cfbe9e
--- /dev/null
+++ b/lib/librpc/secure_rpc/doc/Makefile
@@ -0,0 +1,40 @@
+#
+# @(#)Makefile 2.1 88/08/10 4.0 RPCSRC
+#
+#
+TROFF= ditroff
+TOPTS= -t
+NROFF= nroff
+NOPTS=
+PIC= pic
+TBL= tbl
+EQN= eqn
+
+SRC= nfs.secure.ms
+
+all default: all.nroff
+
+install: all.nroff
+ @echo "Nothing installed."
+
+all.nroff: ${SRC}
+ ${TBL} ${SRC} | ${EQN} | ${NROFF} ${NOPTS} -ms >all.nroff
+
+all.troff: ${SRC}
+ ${TBL} ${SRC} | ${PIC} | ${EQN} | ${TROFF} ${TOPTS} -ms >all.troff
+
+#
+
+nfs.secure.nroff: nfs.secure.ms
+ ${TBL} nfs.secure.ms | ${EQN} | ${NROFF} ${NOPTS} -ms >nfs.secure.nroff
+
+nfs.secure.troff: nfs.secure.ms
+ ${TBL} nfs.secure.ms|${PIC}|${EQN}| ${TROFF} ${TOPTS} -ms >nfs.secure.troff
+
+clean:
+ rm -f *.nroff *.troff
+
+spell: ${SRC}
+ @for i in ${SRC}; do \
+ echo $$i; spell $$i | sort | comm -23 - spell.ok > $$i.spell; \
+ done
diff --git a/lib/librpc/secure_rpc/doc/nfs.secure.ms b/lib/librpc/secure_rpc/doc/nfs.secure.ms
new file mode 100644
index 0000000..2476790
--- /dev/null
+++ b/lib/librpc/secure_rpc/doc/nfs.secure.ms
@@ -0,0 +1,934 @@
+.\" Must use -- pic tbl eqn -- with this one.
+.\"
+.\" @(#)nfs.secure.ms 2.2 88/08/09 4.0 RPCSRC
+.de BT
+.if \\n%=1 .tl ''- % -''
+..
+.ND
+.\" prevent excess underlining in nroff
+.if n .fp 2 R
+.OH 'Secure Networking''Page %'
+.EH 'Page %''Secure Networking'
+.if \\n%=1 .bp
+.EQ
+delim $$
+gsize 11
+.EN
+.SH
+\&Secure Networking
+.nr OF 1
+.IX "security" "of networks" "" "" PAGE START
+.IX "network security" "" "" "" PAGE START
+.IX "NFS security" "" "" "" PAGE START
+.LP
+RPCSRC 4.0 includes an authentication system
+that greatly improves the security of network environments.
+The system is general enough to be used by other
+.UX
+and non-UNIX systems.
+The system uses DES encryption and public key cryptography
+to authenticate both users and machines in the network.
+(DES stands for Data Encryption Standard.)
+.LP
+Public key cryptography is a cipher system that involves two keys:
+one public and the other private.
+The public key is published, while the private key is not;
+the private (or secret) key is used to encrypt and decrypt data.
+Sun's system differs from some other public key cryptography systems
+in that the public and secret keys are used to generate a common key,
+which is used in turn to create a DES key.
+DES is relatively fast,
+and on Sun Workstations,
+optional hardware is available to make it even faster.
+.#
+.NH 0
+\&Administering Secure RPC
+.IX "administering secure RPC"
+.IX "security" "RPC administration"
+.LP
+This section describes what the system administrator must do
+in order to use secure networking.
+.IP 1
+RPCSRC now includes the
+.I /etc/publickey
+.IX "etc/publickey" "" "\&\fI/etc/publickey\fP"
+database, which should contain three fields for each user:
+the user's netname, a public key, and an encrypted secret key.
+The corresponding Yellow Pages map is available to YP clients as
+.I publickey.byname
+but the database should reside only on the YP master. Make sure
+.I /etc/netid
+exists on the YP master server.
+As normally installed, the only user is
+.I nobody .
+This is convenient administratively,
+because users can establish their own public keys using
+.I chkey (1)
+.IX "chkey command" "" "\&\fIchkey\fP command"
+without administrator intervention.
+For even greater security,
+the administrator can establish public keys for everyone using
+.I newkey (8).
+.IX "newkey command" "" "\&\fInewkey\fP command"
+Note that the Yellow Pages take time to propagate a new map,
+so it's a good idea for users to run
+.I chkey ,
+or for the administrator to run
+.I newkey ,
+just before going home for the night.
+.IP 2
+Verify that the
+.I keyserv (8c)
+.IX "keyserv daemon" "" "\&\fIkeyserv\fP daemon"
+daemon was started by
+.I /etc/rc.local
+and is still running.
+This daemon performs public key encryption
+and stores the private key (encrypted, of course) in
+.I /etc/keystore :
+.DS
+% \fBps aux | grep keyserv\fP
+root 1354 0.0 4.1 128 296 p0 I Oct 15 0:13 keyserv
+.DE
+When users log in with
+.I login
+.IX "login command" "" "\&\fIlogin\fP command"
+or remote log in with
+.I rlogin ,
+these programs use the typed password to decrypt the secret key stored in
+.I /etc/publickey .
+This becomes the private key, and gets passed to the
+.I keyserv
+daemon.
+If users don't type a password for
+.I login
+or
+.I rlogin ,
+either because their password field is empty
+or because their machine is in the
+.I hosts\fR.\fPequiv
+.IX "etc/hosts.equiv" "" "\&\fI/etc/hosts.equiv\fP"
+file of the remote host,
+they can still place a private key in
+.I /etc/keystore
+by invoking the
+.I keylogin (1)
+.IX "keylogin command" "" "\&\fIkeylogin\fP command"
+program.
+Administrators should take care not to delete
+.I /etc/keystore
+and
+.I /etc/.rootkey
+(the latter file contains the private key for
+.I root ).
+.IP 3
+When you reinstall, move, or upgrade a machine, save
+.I /etc/keystore
+and
+.I /etc/.rootkey
+along with everything else you normally save.
+.LP
+.LP
+Note that if you
+.I login ,
+.I rlogin ,
+or
+.I telnet
+to another machine, are asked for your password, and type it correctly,
+you've given away access to your own account.
+This is because your secret key is now stored in
+.I /etc/keystore
+on that remote machine.
+This is only a concern if you don't trust the remote machine.
+If this is the case,
+don't ever log in to a remote machine if it asks for your password.
+Instead, use NFS to remote mount the files you're looking for.
+At this point there is no
+.I keylogout
+command, even though there should be.
+.LP
+The remainder of this chapter discusses the theory of secure networking,
+and is useful as a background for both users and administrators.
+.#
+.NH 1
+\&Security Shortcomings of NFS
+.IX "security" "shortcomings of NFS"
+.LP
+Sun's Remote Procedure Call (RPC) mechanism has proved to be a very
+powerful primitive for building network services.
+The most well-known of these services is the Network File System (NFS),
+a service that provides transparent file-sharing
+between heterogeneous machine architectures and operating systems.
+The NFS is not without its shortcomings, however.
+Currently, an NFS server authenticates a file request by authenticating the
+machine making the request, but not the user.
+On NFS-based filesystems, it is a simple matter of running
+.I su
+.IX "su command" "" "\&\fIsu\fP command"
+to impersonate the rightful owner of a file.
+But the security weaknesses of the NFS are nothing new.
+The familiar command
+.I rlogin
+is subject to exactly the same attacks as the NFS
+because it uses the same kind of authentication.
+.LP
+A common solution to network security problems
+is to leave the solution to each application.
+A far better solution is to put authentication at the RPC level.
+The result is a standard authentication system
+that covers all RPC-based applications,
+such as the NFS and the Yellow Pages (a name-lookup service).
+Our system allows the authentication of users as well as machines.
+The advantage of this is that it makes a network environment
+more like the older time-sharing environment.
+Users can log in on any machine,
+just as they could log in on any terminal.
+Their login password is their passport to network security.
+No knowledge of the underlying authentication system is required.
+Our goal was a system that is as secure and easy to use
+as a time-sharing system.
+.LP
+Several remarks are in order. Given
+.I root
+access and a good knowledge of network programming,
+anyone is capable of injecting arbitrary data into the network,
+and picking up any data from the network.
+However, on a local area network, no machine is capable of packet smashing \(en
+capturing packets before they reach their destination, changing the contents,
+then sending packets back on their original course \(en
+because packets reach all machines, including the server, at the same time.
+Packet smashing is possible on a gateway, though,
+so make sure you trust all gateways on the network.
+The most dangerous attacks are those involving the injection of data,
+such as impersonating a user by generating the right packets,
+or recording conversations and replaying them later.
+These attacks affect data integrity.
+Attacks involving passive eavesdropping \(en
+merely listening to network traffic without impersonating anybody \(en
+are not as dangerous, since data integrity had not been compromised.
+Users can protect the privacy of sensitive information
+by encrypting data that goes over the network.
+It's not easy to make sense of network traffic, anyway.
+.#
+.NH 1
+\&RPC Authentication
+.IX "RPC authentication"
+.IX "authentication" "RPC"
+.LP
+RPC is at the core of the new network security system.
+To understand the big picture,
+it's necessary to understand how authentication works in RPC.
+RPC's authentication is open-ended:
+a variety of authentication systems may be plugged into it
+and may coexist on the network.
+Currently, we have two: UNIX and DES.
+UNIX authentication is the older, weaker system;
+DES authentication is the new system discussed in this chapter.
+Two terms are important for any RPC authentication system:
+.I credentials
+and
+.I verifiers .
+Using ID badges as an example, the credential is what identifies a person:
+a name, address, birth date, etc.
+The verifier is the photo attached to the badge:
+you can be sure the badge has not been stolen by checking the photo
+on the badge against the person carrying it.
+In RPC, things are similar.
+The client process sends both a credential and a verifier
+to the server with each RPC request.
+The server sends back only a verifier,
+since the client already knows the server's credentials.
+.#
+.NH 2
+\&UNIX Authentication
+.IX "UNIX authentication"
+.IX "authentication" "UNIX"
+.LP
+UNIX authentication was used by most of Sun's original network services.
+The credentials contain the client's machine-name,
+.I uid ,
+.I gid ,
+and group-access-list.
+The verifier contains \fBnothing\fP!
+There are two problems with this system.
+The glaring problem is the empty verifier,
+which makes it easy to cook up the right credential using
+.I hostname
+.IX "hostname command" "" "\&\fIhostname\fP command"
+and
+.I su .
+.IX "su command" "" "\&\fIsu\fP command"
+If you trust all root users in the network, this is not really a problem.
+But many networks \(en especially at universities \(en are not this secure.
+The NFS tries to combat deficiencies in UNIX authentication
+by checking the source Internet address of
+.I mount
+requests as a verifier of the
+.I hostname
+field, and accepting requests only from privileged Internet ports.
+Still, it is not difficult to circumvent these measures,
+and NFS really has no way to verify the user-ID.
+.LP
+The other problem with UNIX authentication appears in the name UNIX.
+It is unrealistic to assume that all machines on a network
+will be UNIX machines.
+The NFS works with MS-DOS and VMS machines,
+but UNIX authentication breaks down when applied to them.
+For instance, MS-DOS doesn't even have a notion of different user IDs.
+.LP
+Given these shortcomings,
+it is clear what is needed in a new authentication system:
+operating system independent credentials, and secure verifiers.
+This is the essence of DES authentication discussed below.
+.#
+.NH 2
+\&DES Authentication
+.IX "DES authentication"
+.IX "authentication" "DES"
+.LP
+The security of DES authentication is based on
+a sender's ability to encrypt the current time,
+which the receiver can then decrypt and check against its own clock.
+The timestamp is encrypted with DES.
+Two things are necessary for this scheme to work:
+1) the two agents must agree on what the current time is, and
+2) the sender and receiver must be using the same encryption key.
+.LP
+If a network has time synchronization (Berkeley's TEMPO for example),
+then client/server time synchronization is performed automatically.
+However, if this is not available,
+timestamps can be computed using the server's time instead of network time.
+In order to do this, the client asks the server what time it is,
+before starting the RPC session,
+then computes the time difference between its own clock and the server's.
+This difference is used to offset the client's clock when computing timestamps.
+If the client and server clocks get out of sync
+to the point where the server begins rejecting the client's requests,
+the DES authentication system just resynchronizes with the server.
+.LP
+Here's how the client and server arrive at the same encryption key.
+When a client wishes to talk to a server, it generates at random
+a key to be used for encrypting the timestamps (among other things).
+This key is known as the
+.I "conversation key, CK."
+The client encrypts the conversation key using a public key scheme,
+and sends it to the server in its first transaction.
+This key is the only thing that is ever encrypted with public key cryptography.
+The particular scheme used is described further on in this chapter.
+For now, suffice to say that for any two agents A and B,
+there is a DES key $K sub AB$ that only A and B can deduce.
+This key is known as the
+.I "common key,"
+$K sub AB$.
+.EQ
+gsize 10
+.EN
+.ne 1i
+.PS
+.in +.7i
+circlerad=.4
+boxht=.2
+boxwid=1.3
+circle "\s+9A\s-9" "(client)" at 0,1.2
+circle "\s+9B\s-9" "(server)" at 5.1,1.2
+line invis at .5,2 ; box invis "\fBCredential\fP"; line invis;
+ box invis "\fBVerifier\fP"
+arrow at .5,1.7; box "$A, K sub AB (CK), CK(win)$"; arrow;
+ box "$CK(t sub 1 ), CK(win + 1)$"; arrow
+arrow <- at .5,1.4; line right 1.3; line;
+ box "$CK(t sub 1 - 1), ID$"; arrow <-
+arrow at .5,1; box "ID"; arrow;
+ box "$CK(t sub 2 )$"; arrow
+arrow <- at .5,.7; line right 1.3; line;
+ box "$CK(t sub 2 - 1), ID$"; arrow <-
+arrow at .5,.3; box "ID"; arrow;
+ box "$CK(t sub n )$"; arrow
+arrow <- at .5,0; line right 1.3; line;
+ box "$CK(t sub n - 1), ID$"; arrow <-
+.PE
+.EQ
+gsize 11
+.EN
+.in -.7i
+.LP
+The figure above illustrates the authentication protocol in more detail,
+describing client A talking to server B.
+A term of the form $K(x)$ means $x$ encrypted with the DES key $K$.
+Examining the figure, you can see that for its first request,
+the client's credential contains three things:
+its name $A$, the conversation key $CK$ encrypted with the common key
+$K sub AB$, and a thing called $win$ (window) encrypted with $CK$.
+What the window says to the server, in effect, is this:
+.LP
+.I
+I will be sending you many credentials in the future,
+but there may be crackers sending them too,
+trying to impersonate me with bogus timestamps.
+When you receive a timestamp, check to see if your current time
+is somewhere between the timestamp and the timestamp plus the window.
+If it's not, please reject the credential.
+.LP
+For secure NFS filesystems, the window currently defaults to 30 minutes.
+The client's verifier in the first request contains the encrypted timestamp
+and an encrypted verifier of the specified window, $win + 1$.
+The reason this exists is the following.
+Suppose somebody wanted to impersonate A by writing a program
+that instead of filling in the encrypted fields of the credential and verifier,
+just stuffs in random bits.
+The server will decrypt CK into some random DES key,
+and use it to decrypt the window and the timestamp.
+These will just end up as random numbers.
+After a few thousand trials, there is a good chance
+that the random window/timestamp pair will pass the authentication system.
+The window verifier makes guessing the right credential much more difficult.
+.LP
+After authenticating the client,
+the server stores four things into a credential table:
+the client's name A, the conversation key $CK$, the window, and the timestamp.
+The reason the server stores the first three things should be clear:
+it needs them for future use.
+The reason for storing the timestamp is to protect against replays.
+The server will only accept timestamps
+that are chronologically greater than the last one seen,
+so any replayed transactions are guaranteed to be rejected.
+The server returns to the client in its verifier an index ID
+into its credential table, plus the client's timestamp minus one,
+encrypted by $CK$.
+The client knows that only the server could have sent such a verifier,
+since only the server knows what timestamp the client sent.
+The reason for subtracting one from it is to insure that it is invalid
+and cannot be reused as a client verifier.
+.LP
+The first transaction is rather complicated,
+but after this things go very smoothly.
+The client just sends its ID and an encrypted timestamp to the server,
+and the server sends back the client's timestamp minus one,
+encrypted by $CK$.
+.#
+.NH 1
+\&Public Key Encryption
+.IX "public key encryption"
+.LP
+The particular public key encryption scheme Sun uses
+is the Diffie-Hellman method.
+The way this algorithm works is to generate a
+.I "secret key"
+$SK sub A$ at random
+and compute a
+.I "public key"
+$PK sub A$ using the following formula
+($PK$ and $SK$ are 192 bit numbers and \(*a is a well-known constant):
+.EQ
+PK sub A ~ = ~ alpha sup {SK sub A}
+.EN
+Public key $PK sub A$ is stored in a public directory,
+but secret key $SK sub A$ is kept private.
+Next, $PK sub B$ is generated from $SK sub B$ in the same manner as above.
+Now common key $K sub AB$ can be derived as follows:
+.EQ
+K sub AB ~ = ~ PK sub B sup {SK sub A} ~ = ~
+( alpha sup {SK sub B} ) sup {SK sub A} ~ = ~
+alpha sup {( SK sub A SK sub B )}
+.EN
+Without knowing the client's secret key,
+the server can calculate the same common key $K sub AB$
+in a different way, as follows:
+.EQ
+K sub AB ~ = ~ PK sub A sup {SK sub B} ~ = ~
+( alpha sup {SK sub A} ) sup {SK sub B} ~ = ~
+alpha sup {( SK sub A SK sub B )}
+.EN
+Notice that nobody else but the server and client can calculate $K sub AB$,
+since doing so requires knowing either one secret key or the other.
+All of this arithmetic is actually computed modulo $M$,
+which is another well-known constant.
+It would seem at first that somebody could guess your secret key
+by taking the logarithm of your public one,
+but $M$ is so large that this is a computationally infeasible task.
+To be secure, $K sub AB$ has too many bits to be used as a DES key,
+so 56 bits are extracted from it to form the DES key.
+.LP
+Both the public and the secret keys
+are stored indexed by netname in the Yellow Pages map
+.I publickey.byname
+the secret key is DES-encrypted with your login password.
+When you log in to a machine, the
+.I login
+program grabs your encrypted secret key,
+decrypts it with your login password,
+and gives it to a secure local keyserver to save
+for use in future RPC transactions.
+Note that ordinary users do not have to be aware of
+their public and secret keys.
+In addition to changing your login password, the
+.I yppasswd
+.IX "yppasswd command" "" "\&\fIyppasswd\fP command"
+program randomly generates a new public/secret key pair as well.
+.LP
+The keyserver
+.I keyserv (8c)
+.IX "keyserv daemon" "" "\&\fIkeyserv\fP daemon"
+is an RPC service local to each machine
+that performs all of the public key operations,
+of which there are only three. They are:
+.DS
+setsecretkey(secretkey)
+encryptsessionkey(servername, des_key)
+decryptsessionkey(clientname, des_key)
+.DE
+.I setsecretkey()
+tells the keyserver to store away your secret key $SK sub A$ for future use;
+it is normally called by
+.I login .
+The client program calls
+.I encryptsessionkey()
+to generate the encrypted conversation key
+that is passed in the first RPC transaction to a server.
+The keyserver looks up
+.I servername 's
+public key and combines it with the client's secret key (set up by a previous
+.I setsecretkey()
+call) to generate the key that encrypts
+.I des_key .
+The server asks the keyserver to decrypt the conversation key by calling
+.I decryptsessionkey().
+Note that implicit in these procedures is the name of caller,
+who must be authenticated in some manner.
+The keyserver cannot use DES authentication to do this,
+since it would create deadlock.
+The keyserver solves this problem by storing the secret keys by
+.I uid ,
+and only granting requests to local root processes.
+The client process then executes a
+.I setuid
+process, owned by root, which makes the request on the part of the client,
+telling the keyserver the real
+.I uid
+of the client. Ideally, the three operations described above
+would be system calls, and the kernel would talk to the keyserver directly,
+instead of executing the
+.I setuid
+program.
+.#
+.NH 1
+\&Naming of Network Entities
+.IX "naming of network entities"
+.IX "network naming"
+.LP
+The old UNIX authentication system has a few problems when it comes to naming.
+Recall that with UNIX authentication,
+the name of a network entity is basically the
+.I uid .
+These
+.I uid s
+are assigned per Yellow Pages naming domain,
+which typically spans several machines.
+We have already stated one problem with this system,
+that it is too UNIX system oriented,
+but there are two other problems as well.
+One is the problem of
+.I uid
+clashes when domains are linked together.
+The other problem is that the super-user (with
+.I uid
+of 0) should not be assigned on a per-domain basis,
+but rather on a per-machine basis.
+By default, the NFS deals with this latter problem in a severe manner:
+it does not allow root access across the network by
+.I uid
+0 at all.
+.LP
+DES authentication corrects these problems
+by basing naming upon new names that we call
+.I netnames.
+Simply put, a netname is just a string of printable characters,
+and fundamentally, it is really these netnames that we authenticate.
+The public and secret keys are stored on a per-netname,
+rather than per-username, basis.
+The Yellow Pages map
+.I netid.byname
+maps the netname into a local
+.I uid
+and group-access-list,
+though non-Sun environments may map the netname into something else.
+.LP
+We solve the Internet naming problem by choosing globally unique netnames.
+This is far easier then choosing globally unique user IDs.
+In the Sun environment, user names are unique within each Yellow Page domain.
+Netnames are assigned by concatenating the operating system and user ID
+with the Yellow Pages and ARPA domain names.
+For example, a UNIX system user with a user ID of 508 in the domain
+.I eng.sun.COM
+would be assigned the following netname:
+.I unix.508@eng.sun.COM .
+A good convention for naming domains is to append
+the ARPA domain name (COM, EDU, GOV, MIL) to the local domain name.
+Thus, the Yellow Pages domain
+.I eng
+within the ARPA domain
+.I sun.COM
+becomes
+.I eng.sun.COM .
+.LP
+We solve the problem of multiple super-users per domain
+by assigning netnames to machines as well as to users.
+A machine's netname is formed much like a user's.
+For example, a UNIX machine named
+.I hal
+in the same domain as before has the netname
+.I unix.hal@eng.sun.COM .
+Proper authentication of machines is very important for diskless machines
+that need full access to their home directories over the net.
+.LP
+Non-Sun environments will have other ways of generating netnames,
+but this does not preclude them from accessing
+the secure network services of the Sun environment.
+To authenticate users from any remote domain,
+all that has to be done is make entries for them in two Yellow Pages databases.
+One is an entry for their public and secret keys,
+the other is for their local
+.I uid
+and group-access-list mapping.
+Upon doing this, users in the remote domain
+will be able access all of the local network services,
+such as the NFS and remote logins.
+.#
+.NH 1
+\&Applications of DES Authentication
+.IX "applications of DES authentication"
+.IX "authentication" "DES"
+.LP
+The first application of DES authentication
+is a generalized Yellow Pages update service.
+This service allows users to update private fields in Yellow Page databases.
+So far the Yellow Pages maps
+.I hosts,
+.I ethers,
+.I bootparams
+and
+.I publickey
+employ the DES-based update service.
+Before the advent of an update service for mail aliases,
+Sun had to hire a full-time person just to update mail aliases.
+.LP
+The second application of DES authentication is the most important:
+a more secure Network File System.
+There are three security problems with the
+old NFS using UNIX authentication.
+The first is that verification of credentials occurs only at mount time
+when the client gets from the server a piece of information
+that is its key to all further requests: the
+.I "file handle" .
+Security can be broken if one can figure out a file handle
+without contacting the server, perhaps by tapping into the net or by guessing.
+After an NFS file system has been mounted,
+there is no checking of credentials during file requests,
+which brings up the second problem.
+If a file system has been mounted from a server that serves multiple clients
+(as is typically the case), there is no protection
+against someone who has root permission on their machine using
+.I su
+(or some other means of changing
+.I uid )
+gaining unauthorized access to other people's files.
+The third problem with the NFS is the severe method it uses to circumvent
+the problem of not being able to authenticate remote client super-users:
+denying them super-user access altogether.
+.LP
+The new authentication system corrects all of these problems.
+Guessing file handles is no longer a problem since in order to gain
+unauthorized access, the miscreant will also have to guess the right
+encrypted timestamp to place in the credential,
+which is a virtually impossible task.
+The problem of authenticating root users is solved,
+since the new system can authenticate machines.
+At this point, however,
+secure NFS is not used for root filesystems.
+Root users of nonsecure filesystems are identified by IP address.
+.LP
+Actually, the level of security associated with each filesystem
+may be altered by the administrator. The file
+.I /etc/exports
+.IX "etc/exports" "" "\&\fI/etc/exports\fP"
+contains a list of filesystems and which machines may mount them.
+By default, filesystems are exported with UNIX authentication,
+but the administrator can have them exported with DES authentication
+by specifying
+.I -secure
+on any line in the
+.I /etc/exports
+file. Associated with DES authentication is a parameter:
+the maximum window size that the server is willing to accept.
+.#
+.NH 1
+\&Security Issues Remaining
+.IX "security" "issues remaining"
+.IX "remaining security issues"
+.LP
+There are several ways to break DES authentication, but using
+.I su
+is not one of them. In order to be authenticated,
+your secret key must be stored by your workstation.
+This usually occurs when you login, with the
+.I login
+program decrypting your secret key with your login password,
+and storing it away for you.
+If somebody tries to use
+.I su
+to impersonate you, it won't work,
+because they won't be able to decrypt your secret key. Editing
+.I /etc/passwd
+isn't going to help them either, because the thing they need to edit,
+your encrypted secret key, is stored in the Yellow Pages.
+If you log into somebody else's workstation and type in your password,
+then your secret key would be stored in their workstation and they could use
+.I su
+to impersonate you. But this is not a problem since you should not
+be giving away your password to a machine you don't trust anyway.
+Someone on that machine could just as easily change
+.I login
+to save all the passwords it sees into a file.
+.LP
+Not having
+.I su
+to employ any more, how can nefarious users impersonate others now?
+Probably the easiest way is to guess somebody's password,
+since most people don't choose very secure passwords.
+We offer no protection against this;
+it's up to each user to choose a secure password.
+.LP
+The next best attack would be to attempt replays.
+For example, let's say I have been squirreling away
+all of your NFS transactions with a particular server.
+As long as the server remains up,
+I won't succeed by replaying them since the server always demands timestamps
+that are greater than the previous ones seen.
+But suppose I go and pull the plug on your server, causing it to crash.
+As it reboots, its credential table will be clean,
+so it has lost all track of previously seen timestamps,
+and now I am free to replay your transactions.
+There are few things to be said about this.
+First of all, servers should be kept in a secure place
+so that no one can go and pull the plug on them.
+But even if they are physically secure,
+servers occasionally crash without any help.
+Replaying transactions is not a very big security problem,
+but even so, there is protection against it.
+If a client specifies a window size that is smaller than the time it takes
+a server to reboot (5 to 10 minutes), the server will reject
+any replayed transactions because they will have expired.
+.LP
+There are other ways to break DES authentication,
+but they are much more difficult.
+These methods involve breaking the DES key itself,
+or computing the logarithm of the public key,
+both of which would would take months of compute time on a supercomputer.
+But it is important to keep our goals in mind.
+Sun did not aim for super-secure network computing.
+What we wanted was something as secure as a good time-sharing system,
+and in that we have been successful.
+.LP
+There is another security issue that DES authentication does not address,
+and that is tapping of the net.
+Even with DES authentication in place,
+there is no protection against somebody watching what goes across the net.
+This is not a big problem for most things,
+such as the NFS, since very few files are not publically readable, and besides,
+trying to make sense of all the bits flying over the net is not a trivial task.
+For logins, this is a bit of a problem because you wouldn't
+want somebody to pick up your password over the net.
+As we mentioned before,
+a side effect of the authentication system is a key exchange,
+so that the network tapping problem can be tackled on a per-application basis.
+.#
+.NH 1
+\&Performance
+.IX "performance of DES authentication"
+.IX "authentication" "performance"
+.LP
+Public key systems are known to be slow,
+but there is not much actual public key encryption going on in Sun's system.
+Public key encryption only occurs in the first transaction with a service,
+and even then, there is caching that speeds things up considerably.
+The first time a client program contacts a server,
+both it and the server will have to calculate the common key.
+The time it takes to compute the common key is basically the time it takes
+to compute an exponential modulo $M$.
+On a Sun-3 using a 192-bit modulus, this takes roughly 1 second,
+which means it takes 2 seconds just to get things started,
+since both client and server have to perform this operation.
+This is a long time,
+but you have to wait only the first time you contact a machine.
+Since the keyserver caches the results of previous computations,
+it does not have to recompute the exponential every time.
+.LP
+The most important service in terms of performance is the secure NFS,
+which is acceptably fast.
+The extra overhead that DES authentication requires versus UNIX authentication
+is the encryption.
+A timestamp is a 64-bit quantity,
+which also happens to be the DES block size.
+Four encryption operations take place in an average RPC transaction:
+the client encrypts the request timestamp, the server decrypts it,
+the server encrypts the reply timestamp, and the client decrypts it.
+On a Sun-3, the time it takes to encrypt one block is about
+half a millisecond if performed by hardware,
+and 1.2 milliseconds if performed by software.
+So, the extra time added to the round trip time is about
+2 milliseconds for hardware encryption and 5 for software.
+The round trip time for the average NFS request is about 20 milliseconds,
+resulting in a performance hit of 10 percent if one has encryption hardware,
+and 25 percent if not.
+Remember that this is the impact on network performance.
+The fact is that not all file operations go over the wire,
+so the impact on total system performance will actually be lower than this.
+It is also important to remember that security is optional,
+so environments that require higher performance can turn it off.
+.#
+.NH 1
+\&Problems with Booting and \&\fBsetuid\fP Programs
+.IX "problems with booting and \&\fIsetuid\fP programs"
+.IX "booting and \&\fIsetuid\fP problems"
+.LP
+Consider the problem of a machine rebooting,
+say after a power failure at some strange hour when nobody is around.
+All of the secret keys that were stored get wiped out,
+and now no process will be able to access secure network services,
+such as mounting an NFS filesystem.
+The important processes at this time are usually root processes,
+so things would work OK if root's secret key were stored away,
+but nobody is around to type the password that decrypts it.
+The solution to this problem is to store root's decrypted secret key in a file,
+which the keyserver can read.
+This works well for diskful machines that can store the secret key
+on a physically secure local disk,
+but not so well for diskless machines,
+whose secret key must be stored across the network.
+If you tap the net when a diskless machine is booting,
+you will find the decrypted key.
+This is not very easy to accomplish, though.
+.LP
+Another booting problem is the single-user boot.
+There is a mode of booting known as single-user mode, where a
+.I root
+login shell appears on the console.
+The problem here is that a password is not required for this.
+With C2 security installed,
+a password is required in order to boot single-user.
+Without C2 security installed,
+machines can still be booted single-user without a password,
+as long as the entry for
+.I console
+in the
+.I /etc/ttytab
+.IX "etc/ttytab" "" "\&\fI/etc/ttytab\fP"
+file is labeled as physically
+.I secure
+(this is the default).
+.LP
+Yet another problem is that diskless machine booting is not totally secure.
+It is possible for somebody to impersonate the boot-server,
+and boot a devious kernel that, for example,
+makes a record of your secret key on a remote machine.
+The problem is that our system is set up to provide protection
+only after the kernel and the keyserver are running.
+Before that, there is no way to authenticate
+the replies given by the boot server.
+We don't consider this a serious problem,
+because it is highly unlikely that somebody would be able to write
+this funny kernel without source code.
+Also, the crime is not without evidence.
+If you polled the net for boot-servers,
+you would discover the devious boot-server's location.
+.LP
+Not all
+.I setuid
+programs will behave as they should.
+For example, if a
+.I setuid
+program is owned by
+.I dave ,
+who has not logged into the machine since it booted,
+then the program will not be able to access any secure network services as
+.I dave .
+The good news is that most
+.I setuid
+programs are owned by root,
+and since root's secret key is always stored at boot time,
+these programs will behave as they always have.
+.#
+.NH 1
+\&Conclusion
+.IX "network security" "summary"
+.LP
+Our goal was to build a system as secure as a time-shared system.
+This goal has been met.
+The way you are authenticated in a time-sharing system
+is by knowing your password.
+With DES authentication, the same is true.
+In time-sharing the person you trust is your system administrator,
+who has an ethical obligation
+not to change your password in order to impersonate you.
+In Sun's system, you trust your network administrator,
+who does not alter your entry in the public key database.
+In one sense, our system is even more secure than time-sharing,
+because it is useless to place a tap on the network
+in hopes of catching a password or encryption key,
+since these are encrypted.
+Most time-sharing environments do not encrypt data emanating from the terminal;
+users must trust that nobody is tapping their terminal lines.
+.LP
+DES authentication is perhaps not the ultimate authentication system.
+In the future it is likely there will be sufficient advances
+in algorithms and hardware to render the public key system
+as we have defined it useless.
+But at least DES authentication offers a smooth migration path for the future.
+Syntactically speaking,
+nothing in the protocol requires the encryption of the conversation
+key to be Diffie-Hellman, or even public key encryption in general.
+To make the authentication stronger in the future,
+all that needs to be done is to strengthen the way
+the conversation key is encrypted.
+Semantically, this will be a different protocol,
+but the beauty of RPC is that it can be plugged in
+and live peacefully with any authentication system.
+.LP
+For the present at least, DES authentication satisfies our requirements
+for a secure networking environment.
+From it we built a system secure enough for use in unfriendly networks,
+such as a student-run university workstation environment.
+The price for this security is not high.
+Nobody has to carry around a magnetic card or remember
+any hundred digit numbers.
+You use your login password to authenticate yourself, just as before.
+There is a small impact on performance,
+but if this worries you and you have a friendly net,
+you can turn authentication off.
+.#
+.NH 1
+\&References
+.IX "references on network security"
+.LP
+Diffie and Hellman, ``New Directions in Cryptography,''
+\fIIEEE Transactions on Information Theory IT-22,\fP
+November 1976.
+.LP
+Gusella & Zatti, ``TEMPO: A Network Time Controller
+for a Distributed Berkeley UNIX System,''
+\fIUSENIX 1984 Summer Conference Proceedings,\fP
+June 1984.
+.LP
+National Bureau of Standards, ``Data Encryption Standard,''
+\fIFederal Information Processing Standards Publication 46,\fP
+January 15, 1977.
+.LP
+Needham & Schroeder, ``Using Encryption for Authentication
+in Large Networks of Computers,''
+\fIXerox Corporation CSL-78-4,\fP
+September 1978.
+.EQ
+delim off
+.EN
+.IX "security" "of networks" "" "" PAGE END
+.IX "network security" "" "" "" PAGE END
+.IX "NFS security" "" "" "" PAGE END
OpenPOWER on IntegriCloud