Globus Streams Authentication

The arrow through the tunnel (2) in the above diagram represents a single TCP connection that is authenticated using TLS. It uses the same authentication mechanism as Globus file transfer. The TCP connection uses a null cipher and thus is left unencrypted.

In the above diagram arrows connecting applications and Globus Connect (1 and 3) are LAN connections. These are the connections that go directly from the user’s application into the Globus data streaming network overlay. A key design goal of Globus data streaming is to integrate with user applications as seamlessly as possible. Therefore, we want to keep this connection as close to TCP as possible. It is recommended that administrators of a Globus Stream Gateway enable authentication. When enabled on the gateway, all LAN connections are authenticated via a challenge based protocol when the connection is established. However, remember that ultimately it is the responsibility of any application to secure its own connections end-to-end whether using a Globus tunnel to stream data or not.

The authentication protocol is based on a shared secret between the ends of a LAN connection (i.e., between the user’s application and the GCS server). When a connection is formed, the accepting side of the connection generates a random string that it sends across the wire to the connecting side. The connecting side concatenates that string with the secret and calculates the SHA256 of the resulting combined string as an answer to the challenge. The connecting side then generates its own random challenge string. Both the SHA256 answer and the new challenge are then sent to the accepting side. The accepting side validates the answer to its challenge by performing the same string concatenation and SHA256 checksum. If the answer from the connector matches its expected value, then the protocol continues. If not, the acceptor rejects the connection. Now the acceptor must prove to the connector that it too knows the secret, so it responds to the connector’s challenge string with a SHA256 answer as described. The connector validates that answer. If it does not match its expected value, it closes the connection. If it does match, the connection is ready for use by the user and no further protocol is added over this part of the TCP connection.

LAN secrets are generated by the GCS server. There is one secret per tunnel, and it is only valid for the lifetime of the tunnel.

When a user initializes their environment an API call is made to the GCS server telling it to generate a secret for the specific tunnel ID. The GCS server does so and associates the newly generated secret with the provided tunnel ID. When a connection comes in through a tunnel with that ID, the GCS server knows to use it in the authentication protocol. That secret is then returned to the initialization application and written to a secure file. User applications that use the Globus data streaming tooling will open this file at connection time and read the secret.