Encryption and Active Directory

Angel has asked for the wisdom of the Perl Monks concerning the following question:

Dear Fellow Monks

I have'nt been around the monastery lately becasuse I made the transition from College to Work. But we are a windows only shop. Now learning the new skills for my job made me realize that there are a few things that MS Windows does well and mabye I can use them for my projects in Perl

Overview

Windows 2000 has a service called Active Directory and it allows one computer ( or a set of them ) called Domain controllers. They maintain a master list of all passwords user informaiton and other related information like what their home accounts should be.

I am working on developing a Active Directory like system for CGI where different servers can talk to my server and get user information though port 80/HTTP using LWP and a few other modules

There will be for this example two computers the Client and the Server. In Windows terminology the client is the workstation and the server is the Domain Controller.

My intention is twofold first to figure out how to make this work using an all Perl solution and secondly by having it talk to another Web server it could use ASP to work with the actual Windows Active Directory structure allowing a mixing of Windows Workstations and Perl/CGI web applications.

My Idea

Have client computer send HTTP Post request to server telling it to start session. IP is checked and if confirmed returns an HTML/XML page with the public half of an asymetric key cypher.

Send the users password and username via XML using the cypher as well as a random password for sending the desired user information ( active directory ) back as a block cypher.

Verify the users name and password and then using the blowfish cypher send the users information back to the client.

Considerations

A Blowfish cypher maps to the full binary output set so it needs to be coded to prevent transmission problems with the HTTP protocol. I have developed code that implements this method of "Glyphing" or character remapping. I covered the mathematical concepts in a UG class Dr. Sutherland's Notes And mapping 128 bit set to two smaller sets of two characters elminates this problem. In addition is allows the entire string to be sent as one long non-HTML encoded string through the Internet.

Secondly the random number generator rand() cannot be used fot this as it is not truly random. Luckally CPAN has a few random number generators that do such a thing.

The Questions

1. So has anyone done this before?

2. I need to find information on which version of Blowfish and which aysmetric cypher to use. I have read the Crypt::Blowfish man pages and I am so lost. If any of you know if someone who has either sample code posted or a tutorial for either? I tried google and did not get much

3. I read the tutorial on IBM's site for using PERL and XML any other good tutorials you could recommend that are aimed at the beginner XML user and not a programming god?</P

Thanks for any advice you can give

Comment on Encryption and Active Directory

Replies are listed 'Best First'.
Re: Encryption and Active Directory by Zaxo (Archbishop) on Feb 17, 2003 at 16:37 UTC
Why not just use the https protocol for encrypting your client connections? Be wary of IP based identification, it will fail to provide much security, and at the expense of failing good connections. Take a look at the Win32 namespace for Windows admin and networking assistance. Perl & XML, by Ray and McIntosh, is the book to get. After Compline, Zaxo	[reply]
Re: Encryption and Active Directory by abell (Chaplain) on Feb 17, 2003 at 16:36 UTC
Have you considered using SSL? It is the protocol used in https requests and as far as I know it uses an asymmetric cypher phase to set up a symmetric key communication. It's the standard used in online banking and credit-card orderings and it is supposed to be pretty safe. It also supports server and client authentication with digital certificates, so it lets the client control the server's identity and offers one more method for the server to know who is performing the request apart from IP. You can find some modules on CPAN. Antonio The stupider the astronaut, the easier it is to win the trip to Vega - A. Tucket	[reply]
Re: Encryption and Active Directory by digger (Friar) on Feb 17, 2003 at 17:16 UTC
I may be missing something obvious in your specs, but why start from scratch? Win2K uses Kerberos and LDAP for encryption and communication. If you used the same open standards used by Win2K, wouldn't that make life easier? You could still get your information on the front end using http and SSL for encryption, and use Kerberos and LDAP on the back end to authenticate to the Win2K domain. You might even be able to avoid writing ASP. I don't have any code samples, because although I have read a little bit about it, I have not had the need or the opportunity to actually attempt it. LDAP on CPAN Kerberos on CPAN Please let us know how it works out, digger	[reply]
Re: Encryption and Active Directory by no_slogan (Deacon) on Feb 17, 2003 at 16:35 UTC
Secure protocols are extremely hard to design. Why are you trying to reinvent SSL? How is your "glyphing" better than the existing base64 and quoted-printable encodings? Update: FWIW, base64 does essentially what your Dr. Sutherland suggests (remapping 6 8-bit characters to 8 6-bit characters), but it also solves the problem of trailing nulls.	[reply]


"be consistent"
	PerlMonks