[Twisted-Python] Re: Questions about the Perspective Broker login mechanism

[David Bolen]

Julien Peeters <jj.peeters at gmail.com> writes:

> I'm looking for the person who implements the actual version of the
> login mechanism in the Perspective Broker. 
> More precisely, I wonder what are the reasons to have chosen a
> challenge/response strategy to do login.

I'm only a user of Twisted and not a core developer, but I suspect for
all the same reasons you'd choose such a system in general (which
aren't PB, nor Twisted, specific).  Avoiding the transmission of raw
authentication information in favor of generated information such as
challenge/response data helps prevent a slew of possible attacks
(injection, playback, man-in-the-middle, etc...) when such information
is available on the wire.

Note however that if you're implying that PB authentication must be
challenge/response, that's not entirely accurate.  While it's true the
default Portal and ClientFactory implementations make use of a
challenge/response approach, you could just as easily change that to
be whatever you would like including simple clear text transmission of
authentication information in one step.  And that exchange is distinct
from the credential checker itself so can be replaced without changing
anything else.

Why you'd bother (when challenge/response is implemented for free) is
another question, but it's certainly possible.  I suppose if you're
using an SSL link for the PB connection with appropriate certificates
you could consider the challenge/response an extra round trip, but
it's got to be pretty insignificant compared to the overall session.

-- David