<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial,helvetica,sans-serif;font-size:12pt"><div>Dear Diva:<br><br>As "Charles.Krinke@osgrid.org", all I can say to all that is : "Harumph".<br><br>And the fact that you bring up a number of good points. It is especially thrilling to actually think we may have enough reliability to actually begin thinking about implementing some of the needed security.<br><br>It is always a balance between software development forward motion and security for the users, even this "Charles.Krinke@osgrid.org" guy, who sounds a bit like a loose cannon visiting "Sports Illuminated".<br><br>So, I commend you for thinking through some of this and offer my whole hearted support to encourage folks to test it *before* I get up one morning and find "Wright Plaza" is a smoking hole in the ground.<br><br>Charles Krinke<br></div><div style="font-family: arial,helvetica,sans-serif;
font-size: 12pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font size="2" face="Tahoma"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Diva Canto <diva@metaverseink.com><br><b><span style="font-weight: bold;">To:</span></b> opensim-dev@lists.berlios.de<br><b><span style="font-weight: bold;">Sent:</span></b> Monday, February 23, 2009 11:47:19 AM<br><b><span style="font-weight: bold;">Subject:</span></b> [Opensim-dev] User Authentication<br></font><br>
Hi,<br><br>I'm about to start tightening the ropes for the Hypergrid in order to <br>make it safer, and also make safer some loose ends of OpenSim without <br>HG, and I would appreciate feedback on this.<br><br>The first issue that needs to be addressed is the issue of user <br>authentication. The regions need to be able to verify that the agent <br>that claims to be representing <a ymailto="mailto:Charles.Krinke@osgrid.org" href="mailto:Charles.Krinke@osgrid.org">Charles.Krinke@osgrid.org</a> is, indeed, <br>representing <a ymailto="mailto:Charles.Krinke@osgrid.org" href="mailto:Charles.Krinke@osgrid.org">Charles.Krinke@osgrid.org</a>. (As you know, right now this <br>is... err... a bit overlooked... *coughs*... and not just in the HG... <br>*more coughs*).<br><br>Having looked at OpenID, I came to the conclusion that it's not enough <br>to know that <a target="_blank" href="http://osgrid.org">osgrid.org</a> has a user named "Charles Krinke", and we
<br>certainly don't want Charles to be constantly typing his password <br>everytime he moves; the region needs to know that this user is already <br>logged in to the system AND the region also needs to know that the agent <br>that is representing this user is a legitimate agent.<br><br>OK, so the part about being logged in is easy; the user server already <br>knows that, to some approximation.<br><br>However, the part about the agent being legitimate is a bit more tricky. <br>Here's the bad thing that can happen: Charles logs in to OSgrid, and TPs <br>to this intriguing region called "Sports Illuminated Swimming Suite <br>Edition". That region happens to be up to no good. It grabs Charles <br>current notion of identity (all the current identifiers we use), it <br>crashes Charles' viewer so that the user server never knows about it, <br>and proceeds to impersonate Charles using all those stolen identifiers; <br>for example, it can go back to Charles's
regions and erase them <br>completely pretending to be Charles.<br><br>So, what can we do to detect the legitimacy of agents?<br><br>Having scratched my head over this, I came to the conclusion that the <br>most promising element that can be used to identify agents is the <br>Viewer's EndPoint. This is what happens down in the LLUDPServer (I'm <br>sure something similar happens in other viewers' packet handlers):<br><br> if (packet != null)<br> {<br> if (packet.Type == PacketType.UseCircuitCode)<br> AddNewClient((UseCircuitCodePacket)packet, epSender, <br>epProxy); <br> else<br>
ProcessInPacket(packet, epSender);<br> }<br><br>The EndPoint epSender comes directly from the socket and I'm assuming it <br>can't be faked, at least the IP part. Is this correct? This is a <br>critical assumption.<br><br>So, back to the "Sports Illuminated" scenario: that sim would then try <br>to launch an agent at Charles' region. It can fake everything except <br>being Charles' viewer machine. When Charles' region does that code <br>above, it asks the User server for authentication of an agent with all <br>those identifiers and the given EndPoint, and the User server tells back <br>that Charles wasn't using that EndPoint to start with, so the <br>authentication fails, and an alarm is rang.<br><br>Thoughts?<br><br>Crista<br><br>Disclaimer: I'm not an expert in security, I'm just using my brain in
<br>context.<br><br><br>_______________________________________________<br>Opensim-dev mailing list<br><a ymailto="mailto:Opensim-dev@lists.berlios.de" href="mailto:Opensim-dev@lists.berlios.de">Opensim-dev@lists.berlios.de</a><br><a href="https://lists.berlios.de/mailman/listinfo/opensim-dev" target="_blank">https://lists.berlios.de/mailman/listinfo/opensim-dev</a><br></div></div></div></body></html>