Re: Authenticated UDP

"Chris Becke" <chris.becke@xxxxxxxxx> wrote in message news:ukeOyi4LJHA.456@xxxxxxxxxxxxxxxxxxxxxxx
SSL is stateless and can operate on any transport layer you choose. Im pretty certain that SSL can be used to authenticate but not encrypt if you find a SSL stack that allows access at that level. But lower down you want encryption anyway...

Sorry, bud - SSL is very stateful, because every packet sent has an HMAC (keyed hashed message authentication checksum) which is assembled in part from the contents of previous messages in the session. As a result, for a message to be passed through the SSL layer, it has to be received complete, in order and unreplicated.

2. Fairly reliable (receiver sends, waits for ACK from target, retries if no
ack is received within a period)

TCP is your best choice for this. Seriously. There is nothing you can invent that is going to be as lightweight as TCP. Unless you know so much protocol design theory that you wouldn't be asking this question. So we loop around: TCP IS the best option here. Just figure out how to make it work for you.

Here, I'm with you. The moment you take UDP and start adding TCP-like features, you've got a poorer-performing version of TCP.

I realize TCP would be ideal for this, but I have to deal with a large
number of very transient connections (~ 1000/min, lasting few hundred
milliseconds at most) and I found TCP can easily bog down the server and get
starved of sockets.. especially since this is not the primary task of the
server, and it also needs to service a separate set of HTTP requests.

Authentication and stateless don't really go all that well together. An authentication scheme involving one packet (as you are describing) would be easy to capture and replay. (The exception would be a one-time-pad, or similar construct, that maintains state between sender and recipient - but then, that's not exactly stateless, is it?)

However, there are some efforts you might look at to see if they match your requirements - particularly, try DTLS - Datagram Transport Layer Security, at http://www.ietf.org/rfc/rfc4347.txt

Alun.
~~~~
--
Texas Imperial Software | Web: http://www.wftpd.com/
23921 57th Ave SE | Blog: http://msmvps.com/alunj/
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

.

Relevant Pages

  • [Full-disclosure] Fwd: hamachi p2p vpn nat-friendly protocol details
    ... are used for encryption and authentication. ... Crypto suite is essentially just a protocol number. ... a prototype and it soon become obvious that both SSL and IKE ... I sort of wonder at the utility of a TCP implementation of the p2p ...
    (Full-Disclosure)
  • Re: Postfix + Auth + SSL + pop3s/imaps
    ... >> to use for authentication. ... Or I would still need SASL for smtp? ... >> if it's Plain or Login because I'm going to use SSL and that would ... >> encrypt both Login and the data channel. ...
    (freebsd-questions)
  • Re: AD authentication encryption
    ... AD supports transport level encryption with SSL. ... including the initial bind request. ... AD also supports SSPI authentication using the negotiate protocol (Kerberos ... a feature of SSPI is that it can be used to encrypt and ...
    (microsoft.public.windows.server.active_directory)
  • Re: WS Security issues
    ... the UsernameToken to encrypt and sign your messages with. ... you only use it for authentication and then let SSL handle the rest? ... have to specify username/password? ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Mixed Mode Authentication in .net 2.0
    ... There are two parts to SSL, which is why this can be confusing. ... encryption and authentication of the server. ... ADFS supports a component called the federation service proxy which is ...
    (microsoft.public.dotnet.framework.aspnet.security)
Quantcast