[ldap] Re: LDAP password encryption - any hardware-assisted solution?

Wed, 11 Apr 2007 13:50:23 -0700 


Hallvard B Furuseth wrote:


Thierry Moreau writes:



I know that some protocol-side (challenge-response type) require
in-memory access to plain text passwords, which can not be recovered
from hashed or salted hashed representations.



I'm not quite sure what you mean here... To bind with a password, the
client needs to learn the password.  How it stores it, and any key
management on the client side, is not an LDAP matter.




I mean a server-side requirement to handle plain text passwords, this 
requirement being induced by the design of a challenge-response 
protocol, i.e. the SASL DIGEST-MD5 mechanism.



OpenLDAP doesn't offer anything advanced in that regard that I know of,
though if there is some key management software, it would be interesting
to add support for it.




I guess hardware assisted key management would be a requirement, from a 
security auditor perspective.



What other LDAP implementations do I don't know.




IBM Tivoli has a software-only solution, requiring master key in a "key 
stash file". Sun ONE Directory Server has some LDAP attribute encryption 
scheme based on symmetric key derivation from the TLS private key, with 
cumbersome configuration; they discourage its use when userPasswords are 
hashed.



(Some challenge-response methods or implementations of them apparently
do need the server to store the password, others fortunately do not.)

One exception, sort of, is if you send a TLS client certificate and use
the LDAP Bind method SASL/EXTERNAL to bind with the current client
certificate.  Then you can use OpenSSL's key management for that
certificate.




Indeed. However, the attractiveness of SASL DIGEST-MD5 is easier 
deployment on the client/end-user side, i.e. no need to carry a private 
key when the end-user moves from one computer to the other.


Regards,


--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]


---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the 
SUBJECT of the message.






















					Reply via email to