Apps Messaging: security

Mark Taylor m.b.taylor at bristol.ac.uk
Tue Apr 10 04:59:02 PDT 2007


On Fri, 6 Apr 2007, John Taylor wrote:

> Security
> ------------
> The question of applications spoofing one another has come up a few times.
> While I don't really believe it's a serious risk (those astronomers -
> they're such jokers!), I set out below a simple modification to the above
> protocol that would make it more secure.  This is  based on proposals by
> Mark Taylor in discussions we had a year ago - if they don't make any sense
> then blame my faulty memory rather than Mark.
>
> The register operation could be changed as follows:
> (id, application-secret) = register*(hub-secret)
>
> The hub-secret is a secret that can only be easily known by applications
> running under the user's uid and is intended to defeat other users on the
> same machine who might try (e.g.) port scanning.  For instance, it could be
> a random string written into the .ivoamsg file.  The application-secret is a
> per-application secret that apps must keep track of and use along with their
> id to identify themselves.  Thus, operations 2-8 would all include this as
> an extra parameter (though it wouldn't be transmitted to any receiving
> application by the hub.)  This prevents Topcat pretending to be Aladin and
> vice versa (you guys!).

John,

I think this is what I proposed before, but if we're starting from
scratch it can be a bit simpler: the register message is

    secret-id = register*(hub-secret)

and the returned secret-id is used, as per your existing method 
signatures, as sender identification for every communication between 
the application and the hub, e.g.

    unregister(secret-id)

this application secret-id is never seen by any other application 
though.  The hub will maintain a separate and parallel list of ids
which serve as public identifiers for each application to use for
instance as return values for the getApplicationIds() method.

Mark

-- 
Mark Taylor   Astronomical Programmer   Physics, Bristol University, UK
m.b.taylor at bris.ac.uk +44-117-928-8776 http://www.star.bris.ac.uk/~mbt/



More information about the apps mailing list