|
259UF-9000JAN 2004Ver. 1.0DP-180/1909.14. Lightweight Directory Access Protocol (LDAP) - Extended FeatureThe protocol is designed to provide access to directories supporting the X.500 models, while not incurringthe resource requirements of the X.500 Directory Access Protocol (DAP).This protocol is specifically targeted at management applications and browser applications that provideread/write interactive access to directories. When used with a directory supporting the X.500 protocols, it isintended to be a complement to the X.500 DAP.X.500 is an overall model for Directory Services in the OSI world. The model encompasses the overallnamespace and the protocol for querying and updating it. A major part of X.500 is that it defines a globaldirectory structure.It is essentially a directory web in much the same way that http & html are used to define & implement theglobal hypertext web. Anyone with an X.500 or LDAP client may peruse the global directory just as they canuse a web browser to peruse the global Web.From the "Start" menu of Windows client PC, you can search for people on the Internet, using of server atdirectory services.9.15. Lightweight Challenge-response Mechanism POP (APOP)- Extended FeatureThe base POP3 specification (POP3) also contains a lightweight challenge-response mechanism calledAPOP. APOP is associated with most of the risks associated with such protocols: in particular, it requiresthat both the client and server machines have access to the shared secret in clear text form. Challenge-Response Authentication Mechanism (CRAM) offers a method for avoiding such clear text storage whileretaining the algorithmic simplicity of APOP in using only MD5.Normally, each POP3 session starts with a USER/PASS exchange. This results in a server/user-id specificpassword being sent in the clear on the network. For intermittent use of POP3, this may not introduce asizable risk. However, many POP3 client implementations connect to the POP3 server on a regular basis tocheck for new mail. Further the interval of session initiation may be on the order of five minutes. Hence, therisk of password capture is greatly enhanced.An alternate method of authentication is required which provides for both origin authentication and replayprotection, but which does not involve sending a password in the clear over the network. The APOPcommand provides this functionality.A POP3 server which implements the APOP command will include a timestamp in its banner greeting. Forexample, on a UNIX implementation in which a separate UNIX process is used for each instance of a POP3server, the syntax of the timestamp might be:where "process-ID" is the decimal value of the process's PID, clock is the decimal value of the systemclock, and hostname is the fully-qualified domain-name corresponding to the host where the POP3 server isrunning. PreviousNext |