Security & Authentication: SSL vs SASL - encryption

My understanding is that SSL combines an encryption algorithm (like AES, DES, etc.) with a key exchange method (like Diffie-Hellman) to provide secure encryption and identification services between two endpoints on an un-secure network (like the Internet).
My understanding is that SASL is an MD5/Kerberos protocol that pretty much does the same thing.
So my question: what are the pros/cons to choosing both and what scenarios make either more preferable? Basically, I'm looking for some guidelines to follow when choosing SSL or to go with SASL instead.

It's quite difficult to compare SSL/TLS and SASL, because SSL/TLS is a communication protocol, whereas SASL is a framework, integrated with other protocols. (In fact, you can use both at the same time in some circumstances.)
In addition, you're mentioning Kerberos, which is indeed an authentication protocol (which can be used with SSL/TLS or SASL or independently both). Your question seems to suggest that whether or not to use Kerberos one of the main sub-problems you should choose first.
SASL is essentially an indirection layer to allow for pluggable authentication systems and data security in existing application protocols (e.g LDAP, SMTP, Subversion, ...), although these protocols need to be aware of this extension (e.g. SMTP auth). Whether and how it provides secure authentication and data encryption depend heavily on what underlying mechanism is used within this framework. Here is an example from the svnserve documentation: "The built-in CRAM-MD5 mechanism doesn't support encryption, but DIGEST-MD5 does".
If you want to use Kerberos with SASL, you will need another level of indirection: GSS-API (which is most commonly used with Kerberos, but can also allow for other mechanisms). (Note that GSSAPI in the context of SASL seems to imply Kerberos anyway, unlike its GS2 successor.)
The general goal of SSL/TLS is to secure the communication (integrity and confidentiality) between a client and a server. The client should always check the identity of the SSL/TLS server, and it provides mechanisms for server to check the identity of the client too. What it can do also depends on how it is configured. SSL/TLS is most commonly used with X.509 certificates: that's how a browser can check the identity of an HTTPS server. Servers can also be configured to request the client to use a certificate to identify themselves (client-certificate authentication).
However, if you want to use Kerberos, you can use TLS Kerberos cipher suites. This is much less common, but they are implemented in the JSSE.
Its implementations usually provide APIs similar to what you get with plain TCP connections: in Java, once configured, you can more or less use an SSLSocket as you would use a plain Socket. This doesn't require specific awareness by the protocol on top of the socket, although some protocols have explicit commands to switch to SSL/TLS from a plain connection (Implicit v.s. Explicit SSL/TLS). It can also provide authentication. In Java, the JSSE is the default SSL/TLS implementation, which gives you access to SSLSocket (or SSLEngine if you're brave enough).
You might want to read "When to use Java GSS-API vs. JSSE", which is similar to "SASL vs. SSL/TLS" (although it doesn't seem to have been updated for a while, since the JSSE does support Kerberos cipher suites now, at least since Oracle Java 6).
I'll admit I know less about SASL than about SSL/TLS, but doing data encryption via SASL sounds like it's going to be more work. It doesn't seem to have certain SSL/TLS features such as the Perfect Forward Secrecy offered by EDH cipher suites. There is an example that uses SASL with GSSAPI (Kerberos here) in the JGSS tutorial: you need to wrap/unwrap the data explicitly, which you wouldn't have to do when using SSLSockets.
I think your main concern should be to decide which authentication mechanism you want to use in the first place: Kerberos, X.509 certificates, or something else. This will have more impact on your overall architecture, and both can be used with SASL and SSL/TLS (more so if you use SASL with an EXTERNAL mechanism, when on top of an SSL/TLS connection).
Kerberos is very centralised. The client will need to be able to contact the KDC to authenticate, in addition to being able to contact your application server. The clients will also need to be configured to use that KDC. From a user's point of view, they can use passwords.
X.509 is more decentralised. However, you may need to deploy a Certification Authority (or use a commercial one) for your user certificates. Users will need to be given certificates and private keys, which some might find too complex.
JAAS comes into it because it's the general Java framework for dealing with authentication and authorisation. It's very closely linked to the notion of security managers. It gives you the notion of Subject and Principal. This isn't directly linked to the protocols or the communication, but rather to the way you model authentication and authorisation within your application. (It gives you a standard set of classes to do so.)
(I'd generally suggest to go through the Java reference documents that mention the words you're after: JGSS, SASL, ..., although they're not necessarily easy to read.)

SSL vs SASL
It's true that SASL is not a protocol but an abstraction layer. It's also true that SSL and SASL are kind of providing similar features. Both of them provide authentication, data signing and encryption.
SSL is done at the transport layer and it is normally transparent to the underneath protocol. For example, you can use SSL on LDAP or HTTP. However, in some cases, modification to existing protocols is necessary in order to switch to secured mode. For example, POP3 and IMAP is extended to have a command STARTTLS to initiate the use of SSL. From that angle, this is kind of similar to what SASL doing.
On the other side, many protocols are also extended to provide SASL capability. Here is the list of protocols. Again, POP3 and IMAP are two of them and they are using different commands to initiate the authentication.
So, when should we use SSL and when should we use SASL?
An obvious difference between SSL and SASL is that SASL allows you to select different mechanisms to authenticate the client while SSL is kind of binded to do authentication based on certificate. In SASL, you can choose to use GSSAPI, Kerberos, NTLM, etc.
Because of this difference, there are some situations, it's just more intuitive to use SASL but not SSL. For example, your client application is using Kerberos to authenticate the end user. Your server needs to authenticates the client. Since your client application already have a Kerberos credentials (in Kerberos terminology, a ticket), it makes sense to use the Kerberos credentials to authenticate with the server. Of course, you can always setup SSL to do the same thing. However, that means on top of the existing Kerberos infrastructure, you need to setup Certificate Authority infrasture and somehow correlate the client certificate with the Kerberos credentials. It's doable but a lot of work.
Also, sometimes, you need to use some features that available only in the SASL mechanism but not the SSL. For example, Kerberos allows you to forward the ticket from the client to the server so that the server can use the ticket to query some resources on behalf of the client. One common example is that you have a application server and a database. The client application authenticates with the application server and the application server needs to query the database on behalf of the client using client's credentials. SSL cannot provide this feature to you but Kerberos supports this. So, in that case, you have to choose to use SASL.
In some cases, you do want to use SSL but not SASL. For example, extending the protocol is not an option or you want to encrypt every single packet exchanged using underneath protocol.
How does GSSAPI relate to Kerberos and SASL
According to this wiki page, both GSSAPI and Kerberos are supported mechansim in SASL. GSSAPI is a generic programming interface. The idea is to let application writer use one single common API to do authentication, encryption, etc regardless of what protocol is used underneath. GSSAPI implements Kerberos. So, you can use GSSAPI to do Kerberos authentication.
How does JAAS relate to SASL
To be honest, I am not a Java expert. From what I read, it sounds like JAAS is just a pluggable authentication framework. I beleive the idea is similar to GSSAPI. It's to provide a single programming interface regardless of what authentication method is using. While GSSAPI is focusing on authentication and secured message exchange, JAAS is focusing on authentication and authorization. I don't find any evidence that JAAS is also one of the SASL mechanism. I believe there should be some helper classes from Java library helping you to implement custom SASL mechanisms. While implementing the custom SASL mechanism, it may makes sense to just use JAAS.

SASL is not a protocol but an abstraction layer to some auth mechanism. If you use Digest-MD5 or GSS-API as your SASL mechanism you can request SASL to completely encrypt your data traffic. This is for example what I do to talk to your Active Directory servers. You won't need SSL. What is your use case? Please elaborate!

Related

what Trafic between users and server must i encrypt in my app before deploying to play store?

I have a simple app connected to a server via some sockets and the traffic is not yet encrypted users must log in or create accounts before using the app and afterwards traffic is shared between users and server. i want to know if i must encrypt all traffic or just the authentication and account creation?
Use https for all traffic (or an equivalent TLS-based protocol for non-HTTP traffic). Yes, encrypt and certificate-authenticate everything. For modern systems, there are vanishingly few cases where TLS is not the correct answer for network traffic. It is ubiquitously available across platforms, languages, and protocols.
On any modern network system you need an argument for why you wouldn't encrypt and authenticate the connection. It's not a matter of "must" you. It's a matter of "why wouldn't you?"

Providing multiple realms/origins to coTurn from webRTC client

As coTurn server provides the option to create multiple realms throught its database, and when turning the server on, a default realm can be provided in the configuration.
When configuring the webRTC client to access TURN, it only allows the URIs, username and credentials properties, but does not have any way to provide a realm or origin (as coturn supports origin).
The default realm is always considered.
If I try to utilize the realms concepts, providing different user credentials under different realms in the webRTC client config, the server accepts only turn requests with users under the default realm.
Questions
Is there a way to overcome this matter to provide realms/origin to the server?
If not, why have realms been added to the coturn if they cannot be used?
tl;dr: the realm is pretty useless in WebRTC.
In theory TURN as a protocol includes a realm. However, see the detailed example in the RFC this typically isn't sent in the initial allocate request, only subsequent ones. In theory the client could store the realm and use it for subsequent requests.
In WebRTC, the peerconnections are pretty much independent. There is no way to configure the realm in the ICE server configuration
See also this response from working on that in chrome/webrtc.org

Is it secure enough to use Digest HTTP Authentication combined with SSL encryption?

I am designing a mobile application which is supposed to interact with a remote server through the HTTPS protocol. This means that the system will manage to encrypt messages and keep the communication confidential by using a SSL certificate.
Well, I would like also to provide an authentication method in order to protect the system from external attacks and make it accesible only by users with valid credentials.
I'm now wondering if Digest HTTP Authentication (http://php.net/manual/en/features.http-auth.php) could be a good idea or not.
I guess so, especially because I think there should be no particular risk since that way I should manage to combine encryption and authentication.
However, I've read somewhere that if I use SSL, HTTP basic authentication is secure enough. Is that true? What do you guys think about that?
Do you guys by chance have any suggestion?
Thanks a lot!

Easiest way to protect WCF services

I've been looking around and haven't been getting very far in my research of WCF security. I have a low-risk service I want to create so I just want some basic security required for client's on different servers outside of the domain to be able to use it.
What's the easiest way in WCF? Is it just through the use of certificates?
Check this, it covers many security scenarios, use whichever suits your need.
And for authentication purpose you can easily opt Username security, where you just need to pass user name and password.
Easiest way to simply encrypt the transmission is if you're just using net.tcp binding, then you can turn on Transport security or Message security without needing to set up a certificate.
With WsHttpBinding message-level security (contents of the message are encrypted) is enabled by default and doesn't require an SSL cert. And if the clients are on the same Windows network then it'll use Windows Authentication and credentials by default, too, so you should be able to enable Transport security without needing an SSL cert there, either.
If you want to expose your service over HTTPS to the public internet then you'll need to obtain an SSL certificate and bind it to the port on the server that the service runs on, using httpcfg.exe (comes with Windows Server).

Difference between SSH and SSL, especially in terms of "SFTP" vs. "FTP over SSL"

Apart from enhanced authentication options offered by SSH, is there any difference between basic working of SSH and SSL protocols ?
I am asking since we can use SFTP or FTP over SSL, both would require authentication.
What is the difference between SSH and SSL and why would we care?
SSL stands for "Secure Sockets Layer". We care because it enables browsers to transmit data to and from a web server in a secure cryptographic way to make life hard for third party spies monitoring all internet traffic.
SSH stands for "Secure Shell". We care because it enables a networked computer 1 to provide access to a shell on networked computer 2. The user can have a level of confidence that spies listening to the insecure channel cannot decrypt data sent between the networked computers.
SSL and SSH both have to do with providing a system to encrypt and decrypt data over an insecure channel.
When a browser visits a URL which begins with "https://", the browser speaks HTTP over an SSL connection.
SSL enabled Web Servers (for example Apache HTTP Server) can be configured to use SSL to become a "secure web server". A website served up by a secure web server will cause users to access the URL through the "https://" protocol instead of "http://". With the https protocol the users can have a level of confidence that third party spies monitoring the internet channel will only receive encrypted content.
SSL is a Protocol that could be implemented in the 6th layer (Presentation layer) of the OSI Model.
SSH has its own transport protocol independent from SSL, so that means SSH DOES NOT use SSL under the hood.
Cryptographically, both Secure Shell and Secure sockets Layer are equally secure.
An SSL Termination Proxy can handle incoming SSL connections, decrypting the SSL and passing on the unencrypted request to other servers.
SSL lets you use a PKI (public-key infrastructure) via signed certificates. With SSH you have to exchange the key fingerprints manually through another protocol like ftp or carrier pigeon.
The main difference is that SSL lets you use a PKI (via signed certificates). In SSH you have to exchange the key fingerprints out-of-band. But you might want to do without a PKI anyway, in which case it's a tie.
For a nice explanation, see http://www.snailbook.com/faq/ssl.auto.html
SSH and SSL are similar protocols that both use most of the same cryptographic primitives under the hood, so they are both as secure as each other. One advantage of SSH is that using key-pair authentication is actually quite easy to do, and built right into the protocol.
With SSL it's a bit of a mess involving CA certificates and other things. After you have the PKI in place you also need to configure your services to use the PKI for authentication instead of its internal password database; this is a nightmare on some services and a piece of cake on others. It also means you need to go to the hassle of signing all of your user's keys so they can log in with them.
Most competent users can grok SSH keys in no time but it takes a bit longer to get their heads around SSL keys (the extra CA certs and key certs confused me when I first discovered it).
Pick what's supportable. SSH+SFTP is great for Unix people, but FTP over SSL is probably easier to do if your users are Windows-based and are pretty clueless about anything other than Internet Exploiter (and you don't mind risking that your users will choose insecure passwords).
Cryptographically they are both equally secure (given that same ciphers are used). Other than that they are entirely different protocols...
First of all, TLS server authentication is optional since its protocol supports fully anonymous server authentication. In SSH this is mandatory.
TLS uses X.509 certificates for client and server authentication, which would require some sort of PKI. SSH does not scale in this point but offers a wider range of authentication methods: password, public key, etc.
Another difference is that SSH allows multiple connections and supports remote program execution, terminal management, TCP tunneling and so on.

Resources