[omniORB] Security/Authentication

Hautesserres, Thomas thomas.hautesserres@managedstorage.fr
Fri Feb 28 08:16:00 2003


Hi Nathaniel,

You are totally right, thanks for pointing this weakness out.

We are actually developping the first release of our application, with
extremely short deadlines. We don't need a very high level of security, as :
- Our current application (which we are going to replace) doesn't even use
authentication at all.
- The application is going to run on private networks only (not internet).
- Our customers are not very concerned about security, and mostly wanted
some ways to customize what an operator will be able to see in a GUI (i.e.
remove configuration option or commands for simple operators).

Other reasons are that we didn't want to use sophisticated mechanisms like
interceptors, as we need to have clients and servers on a couple of
platforms and written in both C++ and Java. We already had some problems
with the support of wstrings, and did not want to play with our luck too
much. 

So we have decided to use this simple mechanism. For the first version, we
won't even have the time to use a strong and unforgeable token generation
algorithm, but at least the infrastructure will be already in so we don't
have to break everything if we have to integrate a stronger security
mechanism.

But once again, you are right, there is a major weakness here. If necessary,
we should be able to counter it by generating our object keys ourselves,
shouldn't we?

Thomas

-------------- Original Message follows:

Date: Thu, 27 Feb 2003 12:45:29 -0800
From: Nathaniel Smith <njs@pobox.com>
To: "'omniorb-list@omniorb-support.com'" <omniorb-list@omniorb-support.com>
Subject: Re: [omniORB] Security/Authentication

This is essentially using CORBA as a capability system, a la EROS[1] and
E[2].  There's a big problem with this, though, which is that it
assumes that object references are unforgeable -- that if you have a
reference to an object, then you obtained it legitimately and are
authorized to make invocations on that object.  This is true for EROS,
where there's kernel support for object references, and for E, where
they use huge (128 bit?) object identities and take special care that
they'll be unguessable.  I don't think the object id's generated by
Omni are so unguessable, though, and I'm certain that some other
issues aren't ideal (for instance, a malicious client can make
unlimited guesses at an object id without penalty).  Maybe I'm wrong,
but I would be very dubious about my security if I was depending on
CORBA being a capability system.

[1] http://eros-os.org
[2] http://erights.org

-- Nathaniel