[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Security Strength Factor



At 02:20 AM 12/18/2002, Dieter Kluenter wrote:
>Hello,
>what is the precise definition of SSF, I know it "indicates a relative
>strength of protection", but protection of what and protection by
>whom?

OpenLDAP has multiple SSFs.  For each session, there is
one for SASL, one for TLS, etc., and an overall session
SSF (the greatest SSF of any particular layer).

 From slapd.conf(5):
  an integer approximate to effective key length used for encryption. 
     0 (zero) implies no protection,
     1 implies integrity protection only,
     56 allows DES or other weak ciphers,
     112 allows triple DES and other strong ciphers,
     128 allows RC4, Blowfish and other modern strong ciphers.

>To be more precise, I understood that a SASL SSF: 56 indicates DES
>encrytion as used by kerberos when applying sasl mechanism GSSAPI, but
>a sasl mechanism EXTERNAL results in SASL SSF: 0 as following examples
>indicate
>
>-.-.-.-.-.-.-.-.--.-.-.-.-
>SASL/GSSAPI authentication started
>SASL username: dieter@AVCI.DE
>SASL SSF: 56
>SASL installing layers
>.-.-.-.-.-.--.-.-.-.-.-.-.-..--
>-..-.-.-.-.-.-.--.--.-.-.-.-.-.--.-.-.
>SASL/EXTERNAL authentication started
>SASL username: Email=dieter@l4b.de,CN=Dieter Kluenter\2Cou=partner\2Cou=users\2Co=avci\2Cc=de,OU=ldapclient,O=avci,L=Hamburg,ST=Germany,C=DE
>SASL SSF: 0
>-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
>
>How is SSF:0 interpreted in above example?

SASL/EXTERNAL, itself, provides no security layers.  There
may be protections provided by lower layers (like TLS) and,
if so, these are reflected in SSF associated with the particular
layer providing the protection as well as the overall SSF.

Kurt