ReTurn Server Asynchronous Authentication

From reSIProcate
Jump to navigation Jump to search

Current status[edit]

  • reTurn authenticates users against a static text file

Proposed solution[edit]

  • Various backends exist
  • An SQL backend could store the H(A1) values used by repro and other SIP applications
  • A [Improving_RADIUS_Support|RADIUS] backend doesn't give out the password or H(A1) value, it performs the HMAC calculation itself and gives a yes/no answer to reTurn

To facilitate these different models, a very general solution is required

  • Nonce factory
    • According to RFC 5090, the RADIUS server can potentially supply nonces.
    • Therefore, an asynchronous nonce generation workflow is required
  • when reTurn sends responses to a client, the response contains a signature
    • generating the signature requires the clients H(A1) value
    • reTurn may have H(A1) (from a file or in a cache from a database table), or it may ask the RADIUS server to calculate the signature without disclosing the H(A1)
    • therefore, this process needs to be asynchronous
  • when reTurn receives an authenticated message from the client it needs to validate the MAC
    • validating the MAC requires the H(A1) value
    • reTurn may have H(A1) (from a file or in a cache from a database table), or it may ask the RADIUS server to calculate the signature without disclosing the H(A1) and then it just compares the signature predicted by RADIUS against that submitted by the client

To facilitate all of the above, there should be multiple abstraction layers:

  • request processing
    • during request processing, reTurn needs to access an API that does something like generateMAC(request, user)
    • implementations of the generateMAC(request, user) API would return 3 possible values:
      • a MAC, generated immediately
      • decline (e.g. bad username)
      • async: a signal that the request should be cached and other requests should be processed while the MAC provider does some DB lookup
  • middle-layer: an async wrapper for classes (such as databases) that return the H(A1) to reTurn
    • this middle-layer code may offer some kind of caching
  • alternative middle-layer: a RADIUS provider
    • this code delegates the generateMAC(request, user) operation to RADIUS and doesn't do anything itself
  • low-level: database drivers
    • specific backends for SQL, LDAP or file database