Re: Can SecurId be used to protect client-server TCP/IP connections?

From: Marcus J. Ranum <mjr_at_tis.com>
Date: 8 Oct 1993 01:27:35 GMT
Message-ID: <292fm7$ne3_at_sol.TIS.COM>


>We want to develop ORACLE-based client-server applications, but in that case
>the client-side SQL*Net communicates directly with the server-side SQL*Net and
>bypasses the 'normal' Unix login cum SecurId. Has anyone tried to protect such
>a 'backdoor' connection with something like SecurId?

        This is an interesting generic problem. Jon Kamens just presented (as in, day before yesterday) a similar war story describing the same kind of issues. (USENIX proceedings 4th security symposium) Basically, Jon's suggestions implied you need to have a "wrapper" that does the security checking either at the server side, or both client and server. There is definitely a performance cost, though he presents no measurements.

        Do any RDBMS' have support for application-specific authentication? Jon's paper describes the exact same class of problems as you describe, for SYBASE. It'd be awfully nice if RDBMS vendors would support some kind of external authenticator callback function, rather than assuming you want to store everything in their internal table. :(

mjr.

(Jon's jik_at_security.ov.com) Received on Fri Oct 08 1993 - 02:27:35 CET

Original text of this message