[AFS3-std] file servers, uuids, and GSS identities
Jeffrey Hutzelman
jhutz@cmu.edu
Thu, 14 Feb 2013 17:59:41 -0500
On Thu, 2013-02-14 at 22:30 +0000, Simon Wilkinson wrote:
> On 14 Feb 2013, at 22:15, Benjamin Kaduk wrote:
> > jhutz notes that in order to go from the nonce returned by VL_RegisterAddrsAndKey to an actual key, the caller of the RPC needs to perform PRF+ with the master key (K0) of the token of the connection and the two nonces. The other uses of PRF+ are in key derivation for packet processing and for token combination; the key itself need not be exposed to security object consumers otherwise. Using a separate utility to register a new fileserver and key would preserver this property, which is probably useful.
>
>
> I'm not sure how it being a separate utility, versus the fileserver,
> helps you here. Whatever happens, the rxgk library needs to provide
> either a means of getting K0 for a particular connection, or of
> performing the a PRF+ operation using a particular set of inputs
> against a connection's key. Changing the caller from a bit of the
> fileserver, to a standalone utility doesn't change the need to export
> that information.
Indeed. The reason to use a separate utility would be if one wanted to
authenticate the request using credentials belonging to an
administrator. Depending on site policy, there's no reason the
fileserver can't do this.
IMHO, rxgk should _not_ provide a means of getting K0 for a connection.
It would be reasonable for rxgk to provide a PRF or PRF+ utility to the
application layer; however, it should transform the inputs such that
they cannot collide with inputs used for generating keys used by rxgk
itself.
-- Jeff