Ticket vs wamp-cra

#1

Can anyone tell me the difference between ticket and wamp-cra authentication? From what I can glean from examples both ultimately require an authid and a secret - so how are they different?

I want to authenticate server-side services and was looking for something that just validates a secret sort of thing...

0 Likes

#2

Hi Chris,

The difference is: with WAMP-Ticket, the shared secret travels the wire, while with WAMP-CRA, the secret never is serialized nor transmitted. With WAMP-Ticket, the recommended way of usage would be som ekind of one-time “tickets” - hence the naming … you can technically use it with a shared, long-term static secret, but in this case you must absolutely use TLS. With WAMP-CRA, you can in principle use a non-encrypted transport, since challenge-response scheme under the hood has safeguards: not only “no secrets on wire”, but also replay and timeout attacks. Also, WAMP-CRA is meant to be used with long-term stable secret, and can employ password salting.

Also note the discussion here:

Cheers,
/Tobias

···

Am Freitag, 25. Dezember 2015 06:30:00 UTC+1 schrieb Chris Beckett:

Can anyone tell me the difference between ticket and wamp-cra authentication? From what I can glean from examples both ultimately require an authid and a secret - so how are they different?
I want to authenticate server-side services and was looking for something that just validates a secret sort of thing…

0 Likes

#3

Ah. for authenticating server-side components to a WAMP router: one of the most secure ways is by using filesystem permissions on Unix domain sockets as a transport. Then you can sometimes get away with any WAMP level authentication at all. However, that obviously only works with component co-located with the router.

···

Am Freitag, 25. Dezember 2015 06:30:00 UTC+1 schrieb Chris Beckett:

Can anyone tell me the difference between ticket and wamp-cra authentication? From what I can glean from examples both ultimately require an authid and a secret - so how are they different?
I want to authenticate server-side services and was looking for something that just validates a secret sort of thing…

0 Likes

#4

Thanks very much Tobias. For now the server components (written in NodeJS) are going to be co-located on the same server as the router, so your note about using domain sockets is appreciated. Another thing I had considered was configuring a dedicated web socket transport bound only to localhost so the traffic should not leave the server. In that scenario, WAMP-Ticket would probably be fine security wise.

In the longer term however, it is possible they may not be co-located so I probably will need to use WAMP-CRA (now that you have described the difference) with a salted pre-shared key as this sounds like the most secure and flexible method.

Thanks again for the tips and explanation.

···

On Friday, December 25, 2015 at 1:43:38 PM UTC-8, Tobias Oberstein wrote:

Hi Chris,

The difference is: with WAMP-Ticket, the shared secret travels the wire, while with WAMP-CRA, the secret never is serialized nor transmitted. With WAMP-Ticket, the recommended way of usage would be som ekind of one-time “tickets” - hence the naming … you can technically use it with a shared, long-term static secret, but in this case you must absolutely use TLS. With WAMP-CRA, you can in principle use a non-encrypted transport, since challenge-response scheme under the hood has safeguards: not only “no secrets on wire”, but also replay and timeout attacks. Also, WAMP-CRA is meant to be used with long-term stable secret, and can employ password salting.

Also note the discussion here:

Cheers,
/Tobias

Am Freitag, 25. Dezember 2015 06:30:00 UTC+1 schrieb Chris Beckett:

Can anyone tell me the difference between ticket and wamp-cra authentication? From what I can glean from examples both ultimately require an authid and a secret - so how are they different?
I want to authenticate server-side services and was looking for something that just validates a secret sort of thing…

0 Likes

#5

Hey Tobias,

One more question around this. My worker service needs to respond to calls regardless of realm, but when I make a WAMP-CRA connection to a server, I have to specify a realm. This seems to imply that to handle this my worker service needs to manage a pool of connections and register the same handler for each of them. Is this true?

···

On Friday, December 25, 2015 at 1:43:38 PM UTC-8, Tobias Oberstein wrote:

Hi Chris,

The difference is: with WAMP-Ticket, the shared secret travels the wire, while with WAMP-CRA, the secret never is serialized nor transmitted. With WAMP-Ticket, the recommended way of usage would be som ekind of one-time “tickets” - hence the naming … you can technically use it with a shared, long-term static secret, but in this case you must absolutely use TLS. With WAMP-CRA, you can in principle use a non-encrypted transport, since challenge-response scheme under the hood has safeguards: not only “no secrets on wire”, but also replay and timeout attacks. Also, WAMP-CRA is meant to be used with long-term stable secret, and can employ password salting.

Also note the discussion here:

Cheers,
/Tobias

Am Freitag, 25. Dezember 2015 06:30:00 UTC+1 schrieb Chris Beckett:

Can anyone tell me the difference between ticket and wamp-cra authentication? From what I can glean from examples both ultimately require an authid and a secret - so how are they different?
I want to authenticate server-side services and was looking for something that just validates a secret sort of thing…

0 Likes

#6

Hi Chris,

Hey Tobias,

One more question around this. My worker service needs to respond to
calls regardless of realm, but when I make a WAMP-CRA connection to a
server, I have to specify a realm. This seems to imply that to handle

Yes, a WAMP session only comes into existance by being attached to a specific realm.

There is no such thing as an "unattached session" or a session being attached to multiple realms.

this my worker service needs to manage a pool of connections and
register the same handler for each of them. Is this true?

Yes, correct.

Let's say you have an app component that implements a procedure "com.example.compute_prime".

You would fire up an instance of that component for each realm you want the procedure to be available in.

Cheers,
/Tobias

···

Am 26.12.2015 um 01:25 schrieb Chris Beckett:

On Friday, December 25, 2015 at 1:43:38 PM UTC-8, Tobias Oberstein wrote:

    Hi Chris,

    The difference is: with WAMP-Ticket, the shared secret travels the
    wire, while with WAMP-CRA, the secret never is serialized nor
    transmitted. With WAMP-Ticket, the recommended way of usage would be
    som ekind of one-time "tickets" - hence the naming ... you _can_
    technically use it with a shared, long-term static secret, but in
    this case you must absolutely use TLS. With WAMP-CRA, you can in
    principle use a non-encrypted transport, since challenge-response
    scheme under the hood has safeguards: not only "no secrets on wire",
    but also replay and timeout attacks. Also, WAMP-CRA is meant to be
    used with long-term stable secret, and can employ password salting.

    Also note the discussion here:

    *
    https://github.com/wamp-proto/wamp-proto/issues/128#issuecomment-74268272
    <https://github.com/wamp-proto/wamp-proto/issues/128#issuecomment-74268272>
    * https://github.com/wamp-proto/wamp-proto/issues/135
    <https://github.com/wamp-proto/wamp-proto/issues/135>

    Cheers,
    /Tobias

    Am Freitag, 25. Dezember 2015 06:30:00 UTC+1 schrieb Chris Beckett:

        Can anyone tell me the difference between ticket and wamp-cra
        authentication? From what I can glean from examples both
        ultimately require an authid and a secret - so how are they
        different?

        I want to authenticate server-side services and was looking for
        something that just validates a secret sort of thing...

--
You received this message because you are subscribed to the Google
Groups "Crossbar" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to crossbario+...@googlegroups.com
<mailto:crossbario+...@googlegroups.com>.
To post to this group, send email to cross...@googlegroups.com
<mailto:cross...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/crossbario/aec6c052-e268-4dec-bbe6-4c67691735d9%40googlegroups.com
<https://groups.google.com/d/msgid/crossbario/aec6c052-e268-4dec-bbe6-4c67691735d9%40googlegroups.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#7

Awesome - thanks for the confirmation. Currently I am been learning Crossbar and Autobahn with only a single test realm, but I will add a second realm and make sure I am coding my components to work correctly for multiple realms.

···

On Monday, December 28, 2015 at 1:41:13 AM UTC-8, Tobias Oberstein wrote:

Hi Chris,

Am 26.12.2015 um 01:25 schrieb Chris Beckett:

Hey Tobias,

One more question around this. My worker service needs to respond to

calls regardless of realm, but when I make a WAMP-CRA connection to a

server, I have to specify a realm. This seems to imply that to handle

Yes, a WAMP session only comes into existance by being attached to a
specific realm.

There is no such thing as an “unattached session” or a session being
attached to multiple realms.

this my worker service needs to manage a pool of connections and

register the same handler for each of them. Is this true?

Yes, correct.

Let’s say you have an app component that implements a procedure
“com.example.compute_prime”.

You would fire up an instance of that component for each realm you want
the procedure to be available in.

Cheers,

/Tobias

On Friday, December 25, 2015 at 1:43:38 PM UTC-8, Tobias Oberstein wrote:

Hi Chris,
The difference is: with WAMP-Ticket, the shared secret travels the
wire, while with WAMP-CRA, the secret never is serialized nor
transmitted. With WAMP-Ticket, the recommended way of usage would be
som ekind of one-time "tickets" - hence the naming ... you _can_
technically use it with a shared, long-term static secret, but in
this case you must absolutely use TLS. With WAMP-CRA, you can in
principle use a non-encrypted transport, since challenge-response
scheme under the hood has safeguards: not only "no secrets on wire",
but also replay and timeout attacks. Also, WAMP-CRA is meant to be
used with long-term stable secret, and can employ password salting.
Also note the discussion here:
*
[https://github.com/wamp-proto/wamp-proto/issues/128#issuecomment-74268272](https://github.com/wamp-proto/wamp-proto/issues/128#issuecomment-74268272)
<[https://github.com/wamp-proto/wamp-proto/issues/128#issuecomment-74268272](https://github.com/wamp-proto/wamp-proto/issues/128#issuecomment-74268272)>
* [https://github.com/wamp-proto/wamp-proto/issues/135](https://github.com/wamp-proto/wamp-proto/issues/135)
<[https://github.com/wamp-proto/wamp-proto/issues/135](https://github.com/wamp-proto/wamp-proto/issues/135)>
Cheers,
/Tobias
Am Freitag, 25. Dezember 2015 06:30:00 UTC+1 schrieb Chris Beckett:
    Can anyone tell me the difference between ticket and wamp-cra
    authentication? From what I can glean from examples both
    ultimately require an authid and a secret - so how are they
    different?
    I want to authenticate server-side services and was looking for
    something that just validates a secret sort of thing...

You received this message because you are subscribed to the Google

Groups “Crossbar” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to crossbario+...@googlegroups.com

mailto:crossbario+unsub...@googlegroups.com.

To post to this group, send email to cros...@googlegroups.com

mailto:cross...@googlegroups.com.

To view this discussion on the web visit

https://groups.google.com/d/msgid/crossbario/aec6c052-e268-4dec-bbe6-4c67691735d9%40googlegroups.com

<https://groups.google.com/d/msgid/crossbario/aec6c052-e268-4dec-bbe6-4c67691735d9%40googlegroups.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.

0 Likes