Re: authentication (SRP*, DH, TLS)



gmu2006@xxxxxxxxx writes:
I'm working on a commercial product which was ported from
win32 to GNU/Linux. While doing so we have used TCP/IP
sockets instead of Named Pipes for IPC. By doing so
we've lost the big advantage of having DACLs set on the
named pipes that prevent unauthorized access to the
services.
Now I'm trying to recreate that with the tcp sockets version.
Because of the performance hit we can't use TLS which
checks client+server certificates for preventing MITM.

After evaluating the possibilities I've come to the conclusion
that SRP-6 could be a possible solution.

I don't think SRP6 will be that much faster than TLS.

If you were using named pipes before, it sounds like the client and
server are on the same machine. Is there some reason you don't use
AF_UNIX sockets instead of AF_INET (i.e. TCP)? AF_UNIX sockets offer
some authentication mechanisms that might do what you need, though
probably not the same as Windows DACL's. See the socket docs for
"ancillary messages".
.