Re: Can SecurId be used to protect client-server TCP/IP connections?

From: Mark H. Johnson <mhjohnso_at_oracle.com>
Date: Sat, 9 Oct 1993 02:23:18 GMT
Message-ID: <1993Oct9.022318.811_at_oracle.us.oracle.com>

In article <292fm7$ne3_at_sol.TIS.COM>, mjr_at_tis.com (Marcus J. Ranum) writes:
> >We want to develop ORACLE-based client-server applications, but in that case
> >the client-side SQL*Net communicates directly with the server-side SQL*Net and
> >bypasses the 'normal' Unix login cum SecurId. Has anyone tried to protect such
> >a 'backdoor' connection with something like SecurId?
>
> This is an interesting generic problem. Jon Kamens just presented
> (as in, day before yesterday) a similar war story describing the same
> kind of issues. (USENIX proceedings 4th security symposium) Basically,
> Jon's suggestions implied you need to have a "wrapper" that does the
> security checking either at the server side, or both client and server.
> There is definitely a performance cost, though he presents no measurements.
>
> Do any RDBMS' have support for application-specific authentication?
> Jon's paper describes the exact same class of problems as you describe,
> for SYBASE. It'd be awfully nice if RDBMS vendors would support some kind
> of external authenticator callback function, rather than assuming you
> want to store everything in their internal table. :(
>
> mjr.
>
> (Jon's jik_at_security.ov.com)

As noted Oracle does not offer application-specific authorization. You can use the built-in authorization, of course. Works for us. :-)

Turns out that the Oracle7 Server gives most of what is needed (external calls to security services are possible, bypassing the normal internal table). For now, this is port-specific functionality. (Translation: we have the hooks, but don't let them out of the building unless you buy an OEM version of Oracle and port it yourself. This is a very high dollar, high effort solution.)

We are exploring exploiting this functionality for a DCE SQL*Net driver. (We want to use the DCE Security service for authentication at connect time.)

Our work has demonstrated that it might be possible to have a server side call-out to an external security service at connect time. How to productize this functionality safely and supportably seems non-trivial.

Why the posting? If there is a significant demand for this kind of functionality, we should hear about it. Did you open a TAR with this enhancement request?

If native DCE authentication is good enough we may have a solution for you a bit sooner.

(mhjohnso_at_oracle.com) Received on Sat Oct 09 1993 - 03:23:18 CET

This message: [ Message body ]
Next message: David Harrington: "Re: Can we call off this advertising before it gets out of hand?"
Previous message: Richard G Ramirez: "Re: Academic pricing comparisons for popular SQL packages"
Maybe in reply to: Karel Sprenger: "Can SecurId be used to protect client-server TCP/IP connections?"
In reply to Karel Sprenger: "Can SecurId be used to protect client-server TCP/IP connections?"
Next in thread: David Harrington: "Re: Can we call off this advertising before it gets out of hand?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message