6

I am looking at a text that mentions that the Secure European System for Applications in a Multi-vendor Environment (SESAME) was designed to address some of Kerberos weakness, with enhancements such as:

  • Use of asymmetric cryptography
  • Distributed authentication
  • Role based authorisation

I work mostly in the U.S. and Canada, but I also worked in Germany and Romania. I have used or implemented Kerberos everywhere but never heard of SESAME except in some textbooks.

Is SESAME for real? All I find is un-dated wishful thinking with dead links. Is there any security analysis of it or a reference implementation ?

schroeder
  • 123,438
  • 55
  • 284
  • 319
ixe013
  • 1,912
  • 15
  • 20

3 Answers3

4

It is difficult to determine what the authoritative source is for SESAME, which is an indication. The best link, which I'm sure you have seen, is from COSIC.

The first paragraph states:

SESAME (a Secure European System for Applications in a Multi-vendor Environment) is a European research and development project, ...

All information and links for SESAME are all pre-2000. There also doesn't seem to be an IETF RFC filed for SESAME, except this draft from 1996.

SESAME is not used, but was an idea that was superseded by improvements to Kerberos RFC 1510.

Community
  • 1
schroeder
  • 123,438
  • 55
  • 284
  • 319
3

Not to say that SESAME was ever widely prevalent but it did have valid use and was extended/modified with the advent of RFC 1510. For instance, SESAME was part of secure CORBA implementation. I can't comment on a large ORB system that I know was in place even within the last 7 years but it did exist - presumably at the later stages only superficially... For non-SESAME related issues, the system to which I refer was purported to be replaced.

I would doubt that any large scale systems use SESAME. I wouldn't bet my life on it though because it I've know companies that just retired historic SPARCs. (Europe also surprised me before by running Amigas well beyond the death of Commodore. Awesomeness.)

Anyhow, my theory (not fact) is that SESAME was extended to use the Kerberos 5 data structures as a way to ease transition by keeping the system's APIs consistent while replacing the backend. Ultimately, newer systems and code would have no legacy ties thereby slowly putting in nails into the SESAME coffin.

So my commentary, obscure knowledge, and personal theorizing is just that. In general, I think you're more likely to win two lotteries back to back than to encounter a SESAME implementation. ;-)

So Schroeder's reply is solid; I'm just adding unnecessary color to it for those that are interested.

//update After typing this, I Googled and found published current references in International Journal of Computer Applications (0975 – 8887) Volume 89 – No.4, March 2014: Improving the Security of SSO in Distributed Computer Network using Digital Certificate and one Time Password (OTP), Patel and Patel. This paper's references seem to have 2005 link to what my be an actual implementation.

Matthew Kurowski
  • 31
  • 2
1

After reading up on a few things too (for example, this outdated article), I am pretty sure I have never heard of it before, and have never seen it.

All I could say is it is another method of securing, but I am not betting my money on it.

So the answer is, no. For all I know, no one really uses it, not even the people I work with have heard of it. So I'm really assured there is a reason why no-one uses it. A good bet to stay away from that old stuff ;)

schroeder
  • 123,438
  • 55
  • 284
  • 319
Lighty
  • 2,368
  • 1
  • 23
  • 36