Bull's presentation of administration & security audit of NFSv4

jonathan lyard jonathan.lyard at bull.net
Thu Aug 24 09:46:07 EDT 2006 

I have also written a paper on the security audit of NFSv4. You can find 
it on :
http://nfsv4.bullopensource.org/doc/security/latex/security.pdf
It would be grateful  if I could have feedbacks and comments about it.

Some key points are :

- performances of krb5p (privacy) are 5-6 times worst than those of krb5 
(authentication). This can be a problem for administrator willing to 
encrypt NFSv4 traffic. Can performance be better ? Or is it normal when 
encrypting data (for instance compared to IPSec or SSH tunneling) ?

- is it conceivable to add a delay (i.e. 1/2s) before sending an error 
when authentication is not valid ? This would make harder for hackers to 
run exhaustive search on the session key (else, NFSv4 server can be used 
as a "stop test oracle" to test the possible keys one after the other).

- is there a reason to use a zero IV for DES encryption (privacy mode) ? 
I would think that GSS sequence numbers play the role of an 
Initialization Vector but am I right ?

- 56 bits for the secret DES key may be too small. AES or 3-DES should 
better be used in next versions.

- MD5 hash is used in the computation of the Message Authentication 
Codes (MACs) for authentication and protection of integrity. SHA-1 
should better be used in next versions.

- security level of NFSv4 is similar to the one of Samba 3 (I don't know 
the security level of Samba 4)

- I have not found any vulnerabilities in the audit code

- I have played with SPIKE to develop a NFSv4 fuzzer (like the RPC 
fuzzer) but did complete the task of testing every NFSv4 operations. I 
hope someone will continue this work.

Regards,
Bryce Harrington wrote:

>Hi Jonathan,
>
>Thanks for posting the presentations, quite interesting.
>
>Bryce
>
>On Wed, Aug 23, 2006 at 06:05:32PM +0200, jonathan lyard wrote:
>  
>
>>Hi,
>>My internship at Bull finish at the end of the week. I have thus a 
>>presentation of my work on the administration (webmin, nagios, SBLIM for 
>>CIM/WBEM) and the security audit at Bull on Aug, 24.
>>If you are intersted, you can get the slides of this presentation that 
>>sum up my work around NFSv4 project at :
>>http://nfsv4.bullopensource.org/doc/security/presentation_Bull_security.pdf
>>http://nfsv4.bullopensource.org/doc/admin_tools/presentation_Bull_admin.pdf
>>
>>I was pleased to contribute to this project!
>>
>>-- 
>>===========================================================================
>> Jonathan LYARD     FREC-B1/408    NFSv4 Intern
>> Bull SA.                          Email:   jonathan.lyard at bull.net
>> 1, rue de Provence                
>> B.P. 208                          Phone:   +33 4 76 29 76 66
>> 38342 ECHIROLLES CEDEX FRANCE     
>>============================================================================ 
>>
>>_______________________________________________
>>NFSv4 mailing list
>>NFSv4 at linux-nfs.org
>>http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
>>    
>>
>
>  
>


-- 
===========================================================================
  Jonathan LYARD     FREC-B1/408    NFSv4 Intern
  Bull SA.                          Email:   jonathan.lyard at bull.net
  1, rue de Provence                
  B.P. 208                          Phone:   +33 4 76 29 76 66
  38342 ECHIROLLES CEDEX FRANCE     
============================================================================

More information about the NFSv4 mailing list