Authentication and encryption in Squeak
Rob Withers
rwithers12 at comcast.net
Mon Feb 9 05:45:26 UTC 2004
On Thursday, February 5, 2004, at 08:19 AM, Jack Keel wrote:
> What is the status of Squeak-E? Seemed to have some security in its
> implementation. I'd be interested in knowing how many hours of
> thought and development went into it.
>
Squeak-E is an imaginary number at the moment, but SqueakElib is
inching forward when I dedicate the cycles. SqueakElib is the
infrastructure for providing distributed secure capabilities. Squeak-E
may be a broader project to provide scoped security within an image and
between images. This involves stacks, compilers, and environments in
some creative ways, I think, but I haven't looked to closely at it.
SqueakElib is about 85% done, minus some problems integrating it into
the squeak image. The communications layer, while not complete, is
definitely usable.
There are 2 main layers in SqueakElib: VatTp and CapTP. The top layer
is the CapTP layer which implements a capabilities model and the remote
objects and pipelined msgs sent to these objects. It also has the
Garbage Collector. This is the researchy layer. The lower layer is
the VatTP layer and this is what builds secure connections, between
Vats. It implements both the client and server for this. That is why
I think we could implement sshd. It's 3DES with mutating IV sequences
(I think that is what they are called) and msg agglomeration. 3DES are
keyed from a DSA based Diffie-Hellman key exchange, with authorization
(identity) and authentication (digital signature). Interestingly, it
does this without a 3rd-party Certificate Authority. When you connect
to a Vat, you have to have it's VatID, which is an unguessable number.
In other words, you have to have a capability to a machine to connect
to it.
If you don't want to implement ssh, which would be pretty interesting I
think, then you could lop off the CapTP layer and just use the VatTP
layer. We'll have to talk about host identity and object identity and
the keys you need. It does build a 3DES connection after using a DSA
certificate based key exchange, along with other techniques that need
close review. There are some missing aspects to this layer (part of
the 85%) such as no suspend/reconnect and the ping-pong process doesn't
suspend quiet connections.
That will give you the connections and you would have to implement your
own remote object system.
If you want to try to use the CapTP layer, then it does do remote
objects, but it is difficult to see how it can be integrated into the
squeak environment. Async msg sending, promises and primitives don't
seem to play well together. You might be able to modify the CapTP
layer to use synchronous sending and avoid promises, but still use the
object tables, maps, and garbage collector.
let me know if I can answer any questions you may have,
Rob
More information about the Squeak-dev
mailing list
|