[kudu-CR](branch-1.3.x) [security] Add per-connection nonce for Kerberos replay resistance

Thu, 02 Mar 2017 13:12:06 -0800 

Todd Lipcon has uploaded a new change for review.

  http://gerrit.cloudera.org:8080/6229

Change subject: [security] Add per-connection nonce for Kerberos replay 
resistance
......................................................................

[security] Add per-connection nonce for Kerberos replay resistance

Kerberos is susceptible to replay attacks, which it attempts to mitigate
by using a server-side replay cache. The cache is not 100% effective,
and is extremely slow. This commit introduces an effective and efficient
method of mitigating replay attacks by using a server-generated nonce
which the client must send back to the server, wrapped in SASL integrity
protection. This will allow Kudu to disable the replay cache without
negatively affecting security.

No tests are provided, but the codepath is well covered by existing
Kerberos negotiation tests. I intend to write simulated mitm tests to
check this and the channel binding protections soon.

Change-Id: If0fb433896963be5e81d349ebf3a044a458e6627
Reviewed-on: http://gerrit.cloudera.org:8080/6137
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <aser...@cloudera.com>
Reviewed-by: Todd Lipcon <t...@apache.org>
(cherry picked from commit ef6e5b58b1ac1425202aaa16dd32bb447f60d814)
---
M docs/design-docs/rpc.md
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/client_negotiation.h
M src/kudu/rpc/negotiation-test.cc
M src/kudu/rpc/rpc_header.proto
M src/kudu/rpc/sasl_common.cc
M src/kudu/rpc/sasl_common.h
M src/kudu/rpc/server_negotiation.cc
M src/kudu/rpc/server_negotiation.h
M src/kudu/security/crypto-test.cc
M src/kudu/security/crypto.cc
M src/kudu/security/crypto.h
13 files changed, 254 insertions(+), 106 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/29/6229/1
-- 
To view, visit http://gerrit.cloudera.org:8080/6229
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: If0fb433896963be5e81d349ebf3a044a458e6627
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: branch-1.3.x
Gerrit-Owner: Todd Lipcon <t...@apache.org>
Gerrit-Reviewer: Dan Burkert <danburk...@apache.org>

Reply via email to