[jboss-jira] [JBoss JIRA] (JGRP-1883) Extend SASL protocol to handle Quality of Protection

Richard Achmatowicz (JIRA) issues at jboss.org
Thu Sep 18 12:27:02 EDT 2014 

    [ https://issues.jboss.org/browse/JGRP-1883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13004014#comment-13004014 ] 

Richard Achmatowicz commented on JGRP-1883:
-------------------------------------------

In other words, incorporate ENCRYPT functionality into SASL, so that encryption is negotiated after authentication. It would accept the SASL Quality of Protection (QoP) confinuration parameters. Users may opt to use this alone instead of using both AUTH and ENCRYPT 

The new protocol would need to:
  - authenticate as before, but this time, check that there is agreement on any specified QoP
  - once authentication is completed, enforce the QoP, which will involve either integrity checking (hash) or encryption
  - the SASL QoP specification would align with the standard:
    javax.security.sasl.qop: {auth, auth-int, auth-conf}
    javax.security.sasl.strength: {low, medium, high}
    javax.security.sasl.maxbuffer: integer				// client receive buffer size
    javax.security.sasl.server.authentication: {true, false}            // mutual authentication
  - we could provide additional configuration of which ciphers and key sizes are used and provide good defaults for these, so that they do not need to be specified      
    
This functionality would be allow standardization of authentication / encryption in the AS to be standardized on SASL, where it is already in place for Remoting and soon for ModCluster.
 

 

> Extend SASL protocol to handle Quality of Protection 
> -----------------------------------------------------
>
>                 Key: JGRP-1883
>                 URL: https://issues.jboss.org/browse/JGRP-1883
>             Project: JGroups
>          Issue Type: Feature Request
>    Affects Versions: 3.5
>            Reporter: Richard Achmatowicz
>            Assignee: Bela Ban
>
> SASL implementations generally provide authentication and encryption services to communication protocols.
> At present, the JGroups SASL protocol layer handles only authentication of a client joining a group; it does not support encryption of messages (unicast and multicast) passing through the SASL layer. This is presently handled by the separate ENCRYPT layer.
> It would be nice to provide an integrated and complete solution for authentication and encryption for JGroups based on SASL. This could be achieved by adding functionality from ENCRYPT to the SASL layer. 



--
This message was sent by Atlassian JIRA
(v6.3.1#6329)

More information about the jboss-jira mailing list