SPKM%20BOF%20 - PowerPoint PPT Presentation

About This Presentation
Title:

SPKM%20BOF%20

Description:

NFSv4 (and other upper layer protocols) need a certificate-based authentication system. TLS (or SSL) is ubiquitous, why doesn't NFS use TLS? ... – PowerPoint PPT presentation

Number of Views:17
Avg rating:3.0/5.0
Slides: 6
Provided by: mikee4
Learn more at: https://www.ietf.org
Category:
Tags: 20bof | spkm | com | www | yahoo

less

Transcript and Presenter's Notes

Title: SPKM%20BOF%20


1
SPKM BOF IETF 67SSiLKey
  • Mike Eisler
  • email2mre-ietf AT
  • yahoo.com

2
Background and Motivation
  • NFSv4 (and other upper layer protocols) need a
    certificate-based authentication system
  • TLS (or SSL) is ubiquitous, why doesnt NFS use
    TLS?
  • NFS uses ONC RPC, and ONC RPC does not fit
    cleanly with TLS
  • TLS/SSL enabled http servers are abundant, can we
    leverage that?
  • Not proposing using https as the transport for NFS

3
SSiLKey Session Keys via SSL (aka TLS)
  • A GSS initiator creates a SSiLKey context token
    to ltsvc_namegt_at_lthost_namegt
  • Issues an https call to
  • https//lthost_namegt/SSiLKey/InitialContext/service
    _name?targetltsvc_namegt_at_lthost_namegt
  • The https server response is encrypted via TLS,
    and contains
  • Authenticator, in GSS InitialContext form (i.e.
    the ASN.1 OID for SSiLKey), consisting of
  • OID of a symmetric encryption algorithm
  • OID of a one way hash algorithm
  • Cipher text (wrapped via encryption and HMAC of
    one way hash algorithms) using service key
    consisting of
  • session key between initiator and target
  • initiators certificate (if any)
  • sequence number (for replay protection)
  • the session key (same as that in Authenticator)
  • NFS via RPCSEC_GSS, sends Authenticator NFS server

4
SSiLKey Target Processing of Context Token
  • NFS server, via RPCSEC_GSS, acquires its
    credentials (a secret symmetric key accessible to
    the NFS server and the https server)
  • calls GSS_Accept_Sec_Context() which unwraps
    cipher text in token
  • Checks sequence number for replay
  • If the initiator did not send its certificate,
    then initiator is anonymous
  • Initiator will use LIPKEY to authenticate itself
  • LIPKEY will layer itself over SSiLKey as it does
    over SPKM-3
  • If a certificate was sent, the target maps it an
    operating environment cred (e.g. UNIX uid, gid,
    gid list)
  • My opinion implementers should add a
    gss_ctx_to_uid() call to their GSS libraries if
    they havent already
  • If there is a best practice for mapping certs to
    uids, use it, otherwise, define one and move on

5
Parts Needed
  • Client side TLS code, http client, SSiLKey GSS
    initiator
  • Server side
  • https server
  • SSiLKey CGI scripts or binaries to process
    SSiLKey request for InitialContext
  • Tools for creating random service keys, and
    service key tabs to store them
  • SSiLKey GSS target
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "SPKM%20BOF%20" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!