[3538] in java-interest
Re: How java apps get krb tickets?
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Wed Nov 15 21:02:00 1995
To: gwz@geek.ocsg.com
Cc: mrm@puffin.Eng.Sun.COM (Marianne Mueller),
java-kerberos@lists.stanford.edu, www-kerberos@lists.stanford.edu,
java-interest@java.Eng.Sun.COM
In-Reply-To: Your message of "Wed, 15 Nov 1995 13:30:27 PST."
<9511152130.AA20629@geek.ocsg.com.ocsg.com>
Date: Wed, 15 Nov 1995 16:58:55 EST
From: Marc Horowitz <marc@MIT.EDU>
You all seem to be overlooking an obvious solution to this problem.
Implement a set of native methods which are *installed by the user*
which does safe accesses to the credential cache. This class would
probably implement a reasonable subset of the kerberos api, or even
better, the GSS API.
Then, implement a class on top of that which implements safe
operations based on kerberos, implemented in java, and also locally
installed, not downloaded. Make *only these methods* available to
applets. Acceptable methods here (to me, at least) would be
- instruct the browser to get a tgt if none was present (this would
have to be via a "well-known" interface to prevent trojan initial
ticket applets).
- get a service key for a service on an appropriate server host
(probably the same host as the web server). Restrictions on what
services are available are probably appropriate. This does
potentially open up a covert channel in the service names, but if you
want a covert channel, you can always encode whatever you want in
http. Examples of covert use would be whitespace, ordering, time
delays, etc. You don't need to put the data in the clear. IMHO, the
1.0 JDK precautions are overkill.
- Authenticate to a server.
- Perform certain authentic or confidential operations, such as
encrypting valid http requests, etc.
More specific operations could be added, locally, as more kerberized
applications become available. For instance, you could have a method
available to applets which would do a secure ftp transaction under
certain circumstances (to a configured set of servers, for instance).
By restricting these methods enough, it will be safe to make them
available to applets. As long as all access to sensitive data (the
tgt and other kerberos tickets) were done in trustable, auditable,
locally-installed C code, this would not present a security risk.
Marc
-
This message was sent to the java-interest mailing list
Info: send 'help' to java-interest-request@java.sun.com
