Article Title : magic cookie secure Creation Date : unknown Author : unknown Last Update : 6-1-93 Last Update By : NCD Technical Support Expiration Rules : ============================================================================= And now, what things do we implement: 2.4 3.0 --- --- XDM-AUTHENTICATION-1 no yes XDM-AUTHORIZATION-1 no yes MIT-MAGIC-COOKIE-1 yes yes SUN-DES-1 no no ?-KERBEROS-1 no no For reference, here's a brief summary of some terms relating to X security: Authentication Proving you are who you say you are. This is typically a *mechanism* (i.e. it doesn't decide anything for you). Authorization The act of deciding whether or not you are allowed to do something (e.g. connect to the X server). There are a variety of ways in which this can be done: think about how you go places with reservations, with tickets, with letters of reference, etc. This implements a *policy* and is often built on top of authentication mechanisms when the identity of the person/place/thing be authorized is important. XDM-AUTHENTICATION-1 An authentication protocol used by XDMCP that allows the display and the host to prove their identities based on a shared, secret key (stored in NVRAM). It uses encryption to make sure that people can't determine the key by snooping the network. XDM-AUTHORIZATION-1 An authorization protocol used by X applications to send a shared secret (based on the secret key mentioned above) to the X server. It uses encryption to make sure that people can't determine the key by snooping the network. The X server "authorizes" connections from clients that can provide the correct secret key. MIT-MAGIC-COOKIE-1 An authorization protocol used by X applications to send a shared, but not very secure, secret to the X server. This is not encrypted and therefore is not very useful in hostile environments like universities. Sun Secure RPC A mechanism for obtaining authentication information called credentials in Sun environments. SUN-DES-1 An authorization protocol used by X applications to securely send credentials based on one's login identity to the X server. The X server uses this information to authorize connections from *users* that it knows about (via xhost). Kerberos An authentication protocol developed at MIT Project Athena that can be used to obtain credentials. Kerberos is included in OSF's DCE package and has the backing of a large proportion of the industry. However, actually implementation and adoption is moving extremely slowly. ?-KERBEROS-1 The eventual authorization protocol that will be based on Kerberos. Nobody is working on this yet. OSF DCE The Open Software Foundation's Distributed Computing Environment product. In includes a variety of subsystems, including Kerberos and a security library similar to, but not compatible with, Kerberos. DES The US Federal Data Encryption Standard. This is a set of algorithms for encrypting data based on a secret 56 bit key. US companies are typically not allowed to export any applications that can provide a way for end users to encrypt and decrypt arbitrary data. Embedded uses (e.g. login passwords) are generally permitted. CMW The US Defense Intelligence Agency's Compartmented Mode Workstation standard. This is a set of requirements for systems that wish to call themselves "secure" for use in government agencies. This requires extensions to both the networking and to the X server. C2, B1, B2, B3, A1 Increasing levels of computer system security as specified by the "Orange Book", yet another US Federal standard/guideline. CMW falls somewhere between B1 and B2.