[SUMMARY] Can SecurId be used to protect client-server TCP/IP connections?

From: Karel Sprenger <ks_at_ic.uva.nl>
Date: Tue, 18 Jan 1994 13:10:11
Message-ID: <ks.58.000D2B81_at_ic.uva.nl>


Introduction



October last year I asked the news groups comp.client-server, comp.databases.oracle and comp.security.misc if anybody had used SecurID cards and software to protect client/server connections (and in particularfor ORACLE and SQL*Net). A number of people reacted to this and it is now more than time for this summary.

The problem



The username/password combination as required by 'normal' OS login procedures is known to be weak, but can be strengthened by means of dynamic password systems. In that case, a user authenticates herself by either calculating the appropriate respons to a challenge string sent by the OS or encrypting his local time. In both cases a special kind of hardware device (token) is used to do the necessary arithmetic. Each user has her own token, the identity of which is known to the OS.

This works fine for OS login procedures, but what to do when these are simply bypassed as is the case with Oracle's client/server connections. In that case the client-side SQL*Net communicates directly with the server-side SQL*Net and bypasses the 'normal' OS login. Can such 'backdoor' connections nevertheless be strengthened with the dynamic password mechanism?

The answers


  1. wietse_at_wzv.win.tue.nl (Wietse Venema) wrote (translated by me from Dutch):
    > The SecurID software I used (SunOS) did not offer a programmatic
    > interface, so that won't be easy.
    >
    > I see more in Kerberos-like techniques for C/S, but still need practical
    > experience with Kerberos.
  2. edelheit_at_smiley.mitre.org (Jeff Edelheit) wrote:
    > MITRE uses the SecureID to protect it's telnet and FTP services. I
    > believe we had to modify the telnet and FTP front-ends. Security
    > Dynamics may have some ideas on how to use their product in an
    > environment like you are describing.
  3. Dave Goldberg <dsg_at_blackbird.mitre.org> wrote:
    > If you've got source, the client library code from Security Dynamics
    > should be sufficient to add a SecurID challenge to ORACLE. We haven't
    > used it for commercial apps like ORACLE here because we lack source,
    > but we've successfully used it in homegrown apps, and FTP. I don't
    > know if Security Dynamics ships the client library code to Non-US
    > sites due to export restrictions. If it wasn't included in your
    > distribution, complain to your sales rep, but don't be surprised if
    > that's what happened :-(
  4. arnold_at_Synopsys.COM (Arnold de Leon) wrote:
    > I haven't integrated SecurID with Oracle but I have done
    > with with the authentication daemon for securid. The
    > api is reasonable easy to use. It is fairly easy to write
    > a client that uses SecurId for authentication.
    >
    > The software for your aceserver should have included
    > the libraries for you to use. All you really
    > need to be able to do is some i/o between the user
    > and your software to do the dialog.
  5. mjr_at_tis.com (Marcus J. Ranum) wrote:
    > This is an interesting generic problem. Jon Kamens just presented
    > (as in, day before yesterday) a similar war story describing the same
    > kind of issues. (USENIX proceedings 4th security symposium) Basically,
    > Jon's suggestions implied you need to have a "wrapper" that does the
    > security checking either at the server side, or both client and server.
    > There is definitely a performance cost, though he presents no measurements.
    >
    > Do any RDBMS' have support for application-specific authentication?
    > Jon's paper describes the exact same class of problems as you describe,
    > for SYBASE. It'd be awfully nice if RDBMS vendors would support some kind
    > of external authenticator callback function, rather than assuming you
    > want to store everything in their internal table. :(
  6. mhjohnso_at_oracle.com (Mark H. Johnson) wrote:
    > As noted Oracle does not offer application-specific authorization. You
    > can use the built-in authorization, of course. Works for us. :-)
    >
    > Turns out that the Oracle7 Server gives most of what is needed (external
    > calls to security services are possible, bypassing the normal internal
    > table). For now, this is port-specific functionality. (Translation: we
    > have the hooks, but don't let them out of the building unless you buy an
    > OEM version of Oracle and port it yourself. This is a very high dollar,
    > high effort solution.)
    >
    > We are exploring exploiting this functionality for a DCE SQL*Net driver.
    > (We want to use the DCE Security service for authentication at connect
    > time.)
    >
    > Our work has demonstrated that it might be possible to have a server side
    > call-out to an external security service at connect time. How to productize
    > this functionality safely and supportably seems non-trivial.
    >
    > Why the posting? If there is a significant demand for this kind of
    > functionality, we should hear about it. Did you open a TAR with this
    > enhancement request?
    >
    > If native DCE authentication is good enough we may have a solution for you
    > a bit sooner.
    >

The conclusions (so far)


  1. Security Dynamics ACE server should be looked into.
  2. Oracle and other vendors should be requested to provide sufficient hooks to add this kind of functionality.
  3. There may be the old (?) problem of US export controls on encryption and athentication code.

A Talk with Security Dynamics



In November two of my colleages and I talked with George Soerheide and Lionel Beckett of Security Dynamics and Wim Weegink of Unisource Business Networks Nederland (who resell SecurID over here). It turned out that Security Dynamics is interested in the problem of protecting C/S with their product, but definitely need contacts with the database vendors (Oracle in our case). The toolkit Dave Goldberg wrote about (part of SD's ACE server) could be used to add the authentication mechanism to ORACLE SQL*Net and its equivalents for Sybase, Ingres, etc.

Conclusions



At this moment C/S cannot be protected with a device like SecurID. In other words: if user authentication is required, you're tied to the OS login strengthened with SecurID or something similar. The answers from Marcus Ranum, Mark Johnson and Security Dynamics could be reason to hope for a "safer" C/S in another two or three years.
| Karel Sprenger, ORACLE coordinator (techn.) | Email: ks_at_ic.uva.nl    |
| Informatiseringscentrum                     | phone: +31-20-525 2302 |
| Universiteit van Amsterdam                  |        +31-20-525 2741 |
| Turfdraagsterpad 9, NL-1012 XT  AMSTERDAM   | fax  : +31-20-525 2084 |
| *** PGP Public Key available on request *** | home : +31-20-675 0989 |
Received on Tue Jan 18 1994 - 13:10:11 CET

Original text of this message