[hono-dev] Security Improvement of Protocol Adapters

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[hono-dev] Security Improvement of Protocol Adapters

From: "Poehn Sebastian (INST/ECS4)" <Sebastian.Poehn@xxxxxxxxxxxx>
Date: Fri, 8 Jun 2018 09:13:48 +0000
Accept-language: en-US, de-DE
Delivered-to: hono-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/hono-dev>
List-help: <mailto:hono-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/hono-dev>, <mailto:hono-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/hono-dev>, <mailto:hono-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AdP/CPtlt+XLfmW5SnKWKxPRCK3lcw==
Thread-topic: Security Improvement of Protocol Adapters

Hello Hono Mailing List

Some time ago I created an issue for a security improvement of Protocol Adapters:
https://github.com/eclipse/hono/issues/551

An attacker might try to brute-force the device credentials against a Protocol Adapter.
This bears confidentiality and integrity risks if the attacker successfully probes the credential.
Additionally this consumes resource in the Protocol Adapter because the credential has to be validated (which is an expensive operation).

In the issue a possible (easy) solution was discussed. The idea was to delay failed authentications and thus slowing down the attacker.

In addition I would suggest to expose the number of failed authentication attempt as a metric.

Best regards
Sebastian

Prev by Date: [hono-dev] Build failed in Jenkins: Hono-Nightly #665
Next by Date: Re: [hono-dev] Commands using the HTTP adapter
Previous by thread: [hono-dev] Build failed in Jenkins: Hono-Nightly #665
Next by thread: [hono-dev] Hono-Kura integration
Index(es):
- Date
- Thread

Breadcrumbs