Security Vulnerabilities in RPC (csci5931) by Shaheen Pattan

RPC Security (1) Distributed applications may require a number of security measures, including: Authentication Authorization (access control) Data integrity Data privacy DCE Security provides high level of security RPC is integrated with DCE Security

RPC Client Server Clients request services via authenticated RPC Runtime Authentication Runtime Authentication Runtime RPC Runtime Client Server Obj1 Obj2 Obj3 Clients request services via authenticated RPC RPCs can use checksums for data integrity and encryption for data privacy Servers make access decisions using Access Control Lists attached to objects

RPC Security (1)

RPC Security (1) Sun RPC: secure RPC services for authentication (man secure_rpc) with four options Kerberos v5: authentication, per-session key generation ssleay: free library functions implementing SSLv3, for authentication and encryption Proposed standard: Generic Security Services Application Program Interface version 2 (GSS-API v.2) (RFC2078)

RPC Security (1) More Slides yet to be added !