[OpenAFS-devel] Re: openafs - proposed cache security improvement

[Sean O'Malley]

On Mon, 26 Mar 2007, Jeffrey Altman wrote:

> Do you have AFS Servers running on the portables?  In this solution it
> is the server that is given a key, not the clients.

This is going to work backwards from most implementations?
We create a unique key on the clients, and they use that to do a kerberos
key style key exchange? but backwards because the client is considered
trusted and the server isn't? Are we protecting against spoofed clients or
spoofed servers? or just worried about eavesdropoping?

> If the clients have a key, then they can just use Kerberos.

If you use kerberos, it still isnt going to work with a detached network
is it? I thought the hostkey was still verified by the kerberos server
even though it is "trusted".

And the users passwords still had to be trusted by the authentication
server. How is this going to work on a client machine detached from the
network?

> If you are using Windows, you can encrypt your cache today.  Just mark
> the page file directory as encrypted.  The SYSTEM account key will be
> used to encrypt the file.

Im not really worried about an encrypted filesystem persay that has been
done for years and years with hundred of different algorithms.

I am concerned about multi-user machines, and stolen laptops with
sensitive data. You want users being able to use it detached from the
network but yet securely acrossed all platforms.

I don't know how to get around this one to be honest at some point the
security model breaks without 2nd party (at least) verification. Even a
key stored somewhere could be hacked by an admin user. I don't know maybe
my ideal of secure, is too secure to be implemented... I was just trying
to find a better way.. (and yes i do realize even security model breaks
down at some point.)


--------------------------------------
  Sean O'Malley, Information Technologist
  Michigan State University
-------------------------------------