Network Security Manual <4>

Article Title: Network Security Manual 4. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
3) Remote Procedure Call (RPC) Authentication
RPC is the core of network security. To understand this, you must understand how the authentication mechanism works in RPC. the RPC authentication mechanism is open-ended, that is, all kinds of authentication systems can be inserted and coexist with it. currently, sun OS has two identification systems: UNIX and DES. The former is old and has weak functions. the latter is the new system to be introduced in this section. there are two important words for the RPC authentication mechanism: credentials and verify ). this is like an ID card. A certificate identifies a person's name, address, and date of birth, and a checker is a photo of the ID card. This photo can be used to check the holder. this is also true in the RPC mechanism: the client process sends the certificate and Checker information during RPC requests. when the server receives the message, it only returns the checker information, because the customer knows the service certificate.
　　
　　
　　
(4) UNIX authentication mechanism
In the early days of SUN, various network services were built on the UNIX authentication mechanism. The certificate part contains the site name, user number, group number, and same group access sequence, while the checker is blank. this system has two problems: first, the most prominent problem is that the checker is empty, which makes it very easy to forge a certificate. if all the system administrators on the network are trustworthy, there will be no problems. however, in many networks (especially in universities), this is not safe. NFS uses the INTERNET address of the workstation that sends the mount request as the checklist of the hostname domain to make up for the deficiency of the UNIX authentication system and make it only accept requests from the privileged INTERNET port. however, it is still not enough to ensure system security because NFS still cannot identify the user ID.
Another problem is that UNIX authentication systems are only applicable to UNIX systems, but it is unrealistic to use UNIX systems on all the websites in a network. because NFS can run on machines in MS-DOS and VMS systems, UNIX authentication systems cannot run in these operating systems, for example, MS-DOS systems do not even have the concept of user numbers.
From this we can see that there should be such a identification system: it has a certificate independent of the operating system and uses a checker. This is like the DES authentication system.
(5) DES Authentication System
The security of the DES authentication system is based on the sender's encoding capability for the current time, which enables the receiver to decode and verify against its own clock. the clock tag also uses DES encoding. there are two things necessary for such a mechanism to work:
The sender and receiver must agree on the current time.
. The sender and receiver must use the same encoding keyword.
If the network has a time synchronization mechanism, the time synchronization between client servers will be performed by themselves. if there is no such mechanism, the time mark will be calculated based on the server time. in order to calculate the time, the client must ask the server for the time before starting the RPC call, and then calculate the time difference between itself and the server. When calculating the time mark, this difference will correct the customer's clock. once the client and the server clock are not synchronized, the server begins to reject the client requests, and the DES authentication system will synchronize their time.
How do customers and servers obtain the same encoding keyword? When a customer wants to talk to the server, it generates a random keyword to encode the time tag. This keyword is called the session keyword CK, and the customer encodes the CK in the public keyword mode, and sent to the server during the first session. this CK is the only keyword that uses the public keyword encoding. in this case, only the customer and the server know their DES keywords. This keyword is called a common keyword.
During the first request, the customer's certificate includes three items: name, session keyword encoded with a common keyword, and the time window encoded with the session keyword. the time window tells the server: many certificates will be sent to you soon; someone may use a fake time mark to impersonate a new session and send the certificate to you. when you receive the time mark, check whether your current time is between the time mark and the time mark plus the time window. If not, reject it.
To create a secure NFS file, the default window value is 30 minutes. when sending the first request, the customer's checker contains the encoded time mark and the special time window (WIN + 1) encoding checker. the reason for this is: if someone wants to write a program and fill in some arbitrary binary values in the certificate and Checker encoding fields, the server decodes the CK into the DES keyword, it is used to decode the time window and time mark, and finally generate a random value. after thousands of efforts, these random time window/time mark pairs can pass the identification system, because at this time the window Checker will make it more difficult to guess the correct certificate, to improve security.
After the customer is identified, the server will store four values in the Certificate Table: customer name A, session keyword CK, time window, time mark. the first three items are retained on the server for future use. the purpose of the retained time mark is to prevent re-execution. The server only receives the time Mark later than the previous time mark. the server will include a sequence number ID and a negative time mark (this mark is CK-encoded) returned to the customer ). the client knows that only the server can return such a checker, because only the server knows the time mark.
The first session process is very complicated and will be much easier in the future. Each time the customer sends its ID and the encoded time mark to the server, the server returns the encoded time mark.