[OpenAFS] packet sniffing and file content

Ted Anderson ota@transarc.com
Mon, 16 Jul 2001 23:09:43 -0400 (EDT) 

On 16 Jul 2001 01:22:26 -0400 Sam Hartman <hartmans@mekinok.com> wrote:
> Perhaps.  However from a security standpoint I'd rather be much more
> conservative and describe fcrypt as a weak cryptosystem not subjected
> to significant public analysis.

I'd agree if this was an issue of deploying a *new* crypto system.
However, in this case it is a matter of extending existing crypto to a
new, under-protected regime.

> Before your paper was released, I don't think that many people outside
> of the AFS community had taken a close look at fcrypt.

I agree.  Probably they still haven't.

> If we treat fcrypt as weak, the worst we will do is cause people to
> take extra security steps or potentially to deploy some solution other
> than AFS. ...  If someone deploys SFS or some other special purpose
> secure filesystem instead of AFS, citing fcrypt, then they have
> probably made the right decision for their environment.

I agree with this too.  However, in the present context the issue is not
whether to deploy AFS, but whether to extend fcrypt's protection to
transfer of ordinary user files.  Modulo the performance impact it is
hard to argue that this isn't a good thing.  Users (at least existing
AFS users) should not be discouraged from doing this due to FUD
regarding fcrypt.

On the question of deploying AFS due to security concerns with fcrypt, I
absolutely agree that we should pull no punches by overstating the
safety of fcrypt.  It is *not* good enough for some environments.

> I don't consider fcrypt adequate to protect kaserver incrementals but
> this is generally not an issue because I'd rarely recommend using
> kaserver in a new install.

But the use of fcrypt is not limited to the kaserver.  It is also used
by the ptserver, update (used to transfer key files between the SCM and
other fileservers), for communication between the fileserver and the
ptserver (for name to id mappings and to lookup group memberships), and
between admin utilites (pts, kas, & bos) and the corresponding servers.
If AFS servers are distributed across an unsecured network, there is
lots of opportunity for mischief perpetrated by an attacker with access
to a (hypothetical) high-speed fcrypt cracker.

Ted Anderson