[jboss-dev-forums] [PicketBox Development] - Challenge/Response enabled Authentication Framework

Mon Jul 23 10:21:30 EDT 2012

Anil Saldhana [https://community.jboss.org/people/anil.saldhana] created the discussion

"Challenge/Response enabled Authentication Framework"

To view the discussion, visit: https://community.jboss.org/message/749605#749605

--------------------------------------------------------------
Wondering if SASL is the perfect candidate for a challenge/response enabled authentication framework with multiple authentication mechanism support.

Wikipedia entry on  http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer SASL.

Apart from a challenge/response framework, it has support for the following protocols.
h2. 
A SASL mechanism implements a series of challenges and responses. Defined SASL mechanisms ^http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer#cite_note-0 [1]^ include:
* "EXTERNAL", where authentication is implicit in the context (e.g., for protocols already using  http://en.wikipedia.org/wiki/IPsec IPsec or  http://en.wikipedia.org/wiki/Transport_Layer_Security TLS)
* "ANONYMOUS", for unauthenticated guest access
* "PLAIN", a simple  http://en.wikipedia.org/wiki/Cleartext cleartext  http://en.wikipedia.org/wiki/Password password mechanism. PLAIN obsoleted the LOGIN mechanism.
* "OTP", a  http://en.wikipedia.org/wiki/One-time_password one-time password mechanism. OTP obsoleted the SKEY Mechanism.
* "SKEY", an  http://en.wikipedia.org/wiki/S/KEY S/KEY mechanism.
* " http://en.wikipedia.org/wiki/CRAM-MD5 CRAM-MD5", a simple challenge-response scheme based on  http://en.wikipedia.org/wiki/HMAC HMAC-MD5.
* " http://en.wikipedia.org/wiki/Digest_access_authentication DIGEST-MD5",  http://en.wikipedia.org/wiki/HTTP HTTP Digest compatible challenge-response scheme based upon MD5. DIGEST-MD5 offers a data security layer.
* " http://en.wikipedia.org/wiki/SCRAM SCRAM", modern challenge-response scheme based mechanism with channel binding support
* " http://en.wikipedia.org/wiki/NTLM NTLM", an NT LAN Manager authentication mechanism
* " http://en.wikipedia.org/wiki/GSSAPI GSSAPI", for  http://en.wikipedia.org/wiki/Kerberos_protocol Kerberos V5 authentication via the  http://en.wikipedia.org/wiki/Generic_Security_Services_Application_Program_Interface GSSAPI. GSSAPI offers a data-security layer.
*  http://en.wikipedia.org/wiki/MSN_Chat#GateKeeper_and_GateKeeperPassport GateKeeper (&  http://en.wikipedia.org/wiki/MSN_Chat#GateKeeper_and_GateKeeperPassport GateKeeperPassport), a challenge-response mechanism developed by  http://en.wikipedia.org/wiki/Microsoft Microsoft for  http://en.wikipedia.org/wiki/MSN_Chat MSN Chat
The GS2 family of mechanisms supports arbitrary  http://en.wikipedia.org/wiki/GSS-API GSS-API mechanisms in SASL. ^http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer#cite_note-1 [2]^ It is now standardized as  http://tools.ietf.org/html/rfc5801 RFC 5801.

I consulted Darran about this and here are his thoughts.

(09:09:34 AM) anilsaldhana: darran: regarding a challenge/response based authentication framework, do u think sasl is sufficient?
(09:10:34 AM) anilsaldhana: darran: given that it has many possible protocols including silent
(09:11:50 AM) darran: asaldhan, from a non-HTTP perspective my feeling is yes, some of the Java provided APIs are not as easy / safe as they should be but the actual process at the transport level is good, we could optimise to do more concurrently but thats about it really 
darran dehort 
(09:13:07 AM) anilsaldhana: darran: right. I was asking mainly from non-http perspective.
(09:13:19 AM) anilsaldhana: darran: thanks for the guidance.
(09:13:53 AM) darran: a couple of API examples are CallbackHandler issues related to not clearly advertising what is supported or what is needed regarding callbacks, from a mechanism perspective there is also a lack of 'lifecycle' say to confirm success or failure of an auth process but all of these could be addressed without afecting the underlynig use of SASL
(09:14:42 AM) anilsaldhana: darran: of course.

h2. 
PicketBox Core can natively support SASL. We will include darran's jboss-sasl project.
h2.
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/749605#749605]

Start a new discussion in PicketBox Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2088]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20120723/d597d3da/attachment.html 