[ZODB-Dev] ZEO and Security

[Michel Pelletier]

On Mon, 7 May 2001, Jeremy Hylton wrote:

> The protocol for connecting isn't really the issue.  We could probably
> get TLS/SSL with client-side certificates hooked up without too much
> trouble (except for the clients that need the certificates <0.5 wink>
> .)  But what happens then?  The authentication problem isn't that
> hard, but the authorization is.  The security system would need to
> provide mechanism for specifying who has access to what, e.g. client X
> can load object 12.

Tackling the authentication problem seems pretty easy, as you point
out.  

This may show off my lack of security experience, but I think that
something simple like this could be cooked up with amkCrypto:

  Client maintains a list of servers and their public keys that it can
  connect to.

  Server maintains list of clients and their public keys that can
  connect to it.

    1. Client connects to server

    2. Server looks for public key of connecting client, if not found,
       access is denied.

    3. Server issues encrypted challenge to client consisting of random
       number.  Challenge is encrypted with clients public key.

    4. Client decrypts challenge with private key.  Encrypts response
       with server public key and returns to server.

    5. Sever decrypts response with private key, compares to
       challenge.  If not equal, access is denied.

Access is 'granted' by both the storage and client administrators agreeing
to store each other's public keys.

I'm sure other people have put much more thought into a similar protocol
than I, but it seems like it could be fairly easy to implement
SecureStorageServer and SecureClientStorage modules that implement this
protocol in ClientStorage.notifyConnected and
StorageServer.handle_connect.  Further enhancement could encrypt the
traffic itself.

-Michel