randy@ms.uky.edu (Randy Appleton) (04/04/91)
I hope this is the appropiate place to ask questions about the Amoeba operating system. Is some other newsgroup better? In Amoeba, when a process creates what in UNIX would be a socket, it provides what is called 'g'. The socket that is created is f(g), where f() is a one-way function. This provides a sense of security, since it is then possible to advertise well-known port numbers f(g) and still know that only you can create that port, since only you know 'g'. But isn't it true that anyone who has your source can just read it to find 'g'. In perticular, if the file server is advertised as findable at port f(g), cannot anyone who has the source just scan it for 'g', and then put up a fake server? In UNIX this is not a problem, since the lowest 1024 ports are reserved for the superuser, and all the useful advertised ports are in that range. Finally, in Amoeba if someone has allready created a port at 'x', what happens if I try to create a new one? -Thanks -Randy
rvr@cs.cornell.edu (Robbert Van Renesse) (04/05/91)
In UDP and TCP there are 2^16 ports, of which, in UNIX, the lowest 1024 are reserved and protected. In Amoeba no ports are protected, but there are 2^48 ports total. Such a port is chosen at random (it's a well-known property of large random numbers that they are unique...). Say that the one-way encryption function f() takes only 1 millisecond to execute, then it would take you, on average, over 4000 years to find g given f(g). ``Wie dan leeft, wie dan zorgt.'' (Dutch saying: Who lives then, who cares then.) Note that the protection scheme is very similar to the UNIX password login protection, except that Amoeba ports are chosen by the system at random, giving a much better distribution of the port space. In the new release of Amoeba the size of a port will be increased to 64 bits for further protection. The problem with this protection scheme is the implementation of it. The easiest way is using trusted kernels: if the user cannot access the network other than through using supplied kernels, then the kernel can apply the one-way encryption function. Another implementation would be to use a custom-made network, with the one-way encryption executed in the physically protected cable duct in the wall. Not a very practical solution. The third way is to encrypt messages on the network. For example, this could be done by choosing the public and private ports of a service to be encryption and decryption keys in a public key encryption scheme (so you don't use the one-way function). You lose the performance benefits the scheme this way. To solve this last problem, the new Amoeba internet protocol (FLIP) divides networks in trusted and untrusted networks. For example, processors within the machine room are connected by a trusted network segment, while the connections to the workstations and long-haul connections are untrusted. The gateways, in the machine room as well, encrypt messages the first time they get forwarded from a trusted to an untrusted network. Machines on untrusted network segments encrypt all messages. This way traffic between processors in the machine room does not need to be encrypted. Since in Amoeba systems most work is done in the processor pool and specialized servers, all of which reside in the machine room, communication remains fast despite its security. (You only need to fill the machine room with poisonous gas.) Robbert van Renesse