Security Vulnerabilities in RPC (csci5931)Slide 3Slide 4Slide 5Slide 6Security Vulnerabilities in RPC(csci5931)Security Vulnerabilities in RPC(csci5931)by Shaheen PattanRPC Security (1)Distributed applications may require a number of security measures, including:–Authentication–Authorization (access control)–Data integrity–Data privacyDCE Security provides high level of securityRPC is integrated with DCE SecurityRPCClientRPCRuntimeAuthenticationRuntimeServerAuthenticationRuntimeRPCRuntimeObj1 Obj2 Obj3Clients request servicesvia authenticated RPCRPCs can use checksumsfor data integrity andencryption for data privacy Servers make access decisionsusing Access Control Listsattached to objectsRPC Security (1)P r o c 3 4P r o c 1 2S MS MS I D P r o c 1 2 3E r r o rS I D C h e c kS I D C h e c k D r o pD S I L S M M o d u l em a i n ( ) {...c o n n e c t ( s o c k 1 , . . . ) ;.}m a i n ( ) {...a c c e p t ( s o c k 1 , . . . ) ;s e t _ d e l e g a t e _ s i d ( s o c k 1 ) ;.r e s e t _ s i d ( ) ;}132F i l e AU ser LevelK ernel L e velS S I D + S N I DI P P a c k e tS o u r c e N o d e T a r g e t N o d eRPC Security (1)Sun RPC:–secure RPC services for authentication (man secure_rpc) with four options–Kerberos v5: authentication, per-session key generation–ssleay: free library functions implementing SSLv3, for authentication and encryption–Proposed standard: Generic Security Services Application Program Interface version 2 (GSS-API v.2) (RFC2078)RPC Security (1)More Slides yet to be added
View Full Document