Security Concepts for Distributed Component … Concepts for Distributed Component Systems ......
Transcript of Security Concepts for Distributed Component … Concepts for Distributed Component Systems ......
Tutorial Description
Security Concepts for Distributed Component Systems
Instructor
Walt Smith, Director of Technology at Tekna, Inc
Summary of Topics to be addressed
Building distributed component systems introduces a new complexity toenterprise security planning. This seminar will introduce the participant ton-tier, distributed component systems, the technologies they are built on andthe security concepts associated with them. We will focus on CORBA as adistribution architecture and look at some of the unique challenges it presentsto the security planner.
Biography of Walt Smith
Mr. Smith is the Director of Technology for Tekna, Inc. and is located at theirRichmond, VA headquarters. He is responsible for the technical strategies,methodologies, and technical staff management of Tekna and oversees theirdistributed component practice. Prior to joining Tekna, Mr. Smith was anobject oriented systems designer for a major financial corporation. He hasbeen a manufacturing, logistics and supply-chain systems consultant for 9years.
6/16/98 copyright 1998 Tekna, Inc 2
Agenda
• Introduction to n-tier distribution• Introduction to CORBA• Overview of CORBA security• Questions and Answers
6/16/98 copyright 1998 Tekna, Inc 3
“In the near future, internet technologies will formthe backbone of all enterprise applicationsdevelopment...”
6/16/98 copyright 1998 Tekna, Inc 4
Key Assumptions
• N-tier application development is here tostay.
• In the near future, ALL n-tier applicationdevelopment will use Internet protocols as atransport mechanism.
• Distributed component technologies representthe most likely scenario for n-tier Internetapplication development.
6/16/98 copyright 1998 Tekna, Inc 5
Background
• What is an n-tier application?• What is a component?• What is a distributed component?• What is CORBA?
6/16/98 copyright 1998 Tekna, Inc 6
What is an n-tier application?
Presentation
Business Logic
Data Access
•Displays information•Accepts User feedback
•Enforces business rules•Validates information•Can be 1 to n tiers
•Persists data•Interfaces to external systems•Can be 0 to n tiers
Interface
Interface
6/16/98 copyright 1998 Tekna, Inc 7
Why n-tier is good
• Allows a clear separation of technology boundaries• Encourages vendor independence at all levels• Is extremely scalable
6/16/98 copyright 1998 Tekna, Inc 8
What is a component?
Any discrete chunk of businessfunctionality that is accessed via awell-defined interface
“A component does one thing, and doesit very well...”
6/16/98 copyright 1998 Tekna, Inc 9
Why components are good
• Maximize modularity of a system, improvingmaintainability• Promote vendor independence• Are extensible, improving reuse at all levels.
6/16/98 copyright 1998 Tekna, Inc 10
Components vs. Objects
Components
•Have a well-defined interface•Act cooperatively to form a system
Objects
•Have a well-defined interface•Hide their local state•Encapsulate both data and procedures•Use a hierarchy of inheritance•Act cooperatively to form a system
6/16/98 copyright 1998 Tekna, Inc 11
A business component
A customer
= iCustomer
iCustomer.accountNumber() iCustomer.name()iCustomer.age()iCustomer.balance()
iCustomer.sendBill()
Interface
6/16/98 copyright 1998 Tekna, Inc 12
How components talk
iCustomer
iSalesOrder1. Request = Customer.accountNumber()
3. Result = “22345T452786”
1. Requests are made to the interface.2. The underlying implementation processes the request.3. Results are returned through the interface to the caller.
2. Thehard part.
6/16/98 copyright 1998 Tekna, Inc 13
A component based system
iWarehouseiCustomer
SalesDB
iClientApp
TaxDB CustomerDB
iShipmentiSalesOrder
6/16/98 copyright 1998 Tekna, Inc 14
What are distributedcomponents?
iSalesOrder
iCustomeriSalesDB
iClientApp
Machine X
Machine Y
Machine Z
Network
6/16/98 copyright 1998 Tekna, Inc 15
Why distribution is good
• Eases load balancing tasks• Increases system scalability• Promotes vendor independence• Increases reliability through redundancy
6/16/98 copyright 1998 Tekna, Inc 16
Distribution Architecture
Distribution Mechanism
Distribution Technology
ServicesComponents
6/16/98 copyright 1998 Tekna, Inc 17
Some popular distributionmechanisms
Common Object Request Broker Architecture (CORBA)Distributed Computing Environment (DCE)Distributed Component Object Model (DCOM)**Remote Method Invocation (RMI)*
* RMI is now a special case of CORBA**DCOM now features inter-operability with CORBA
6/16/98 copyright 1998 Tekna, Inc 18
Internet Inter-ORB Protocol
Object Request Broker
IDL
CORBA Architecture
CORBA Services
6/16/98 copyright 1998 Tekna, Inc 19
What is CORBA?
• Common Object Request Broker Architecture
• An internationally defined standard forcomponent distribution
• Overseen by the Object Management Group• Implemented by many vendors including
IONA, Visigenic, SUN and IBM• Platform, language and vendor independent
6/16/98 copyright 1998 Tekna, Inc 20
Why CORBA is good
• Separates the definition of a componentfrom it’s implemenation• Makes reuse available across all codebases (C++, JAVA, COBOL, ADA, etc)• Allows a gradual migration of proceduralcode to component technology
6/16/98 copyright 1998 Tekna, Inc 21
Important Note
The CORBA standard refers to components asobjects. A CORBA object may be either acomponent or a “true” object. From here on, weuse the term object interchangeably with theword component. This is NOT an endorsementof the objectivity of CORBA.
6/16/98 copyright 1998 Tekna, Inc 23
Interface Definition Language
iCustomer
Icustomer(intcustomerNumber){ malloc ……..}etc.
Platform independent languageto define interface.
Hides the platform dependentimplementation details fromother components in the system.
IDL is usually be tied to the implementationlanguage at compile time via a pre-complier.
6/16/98 copyright 1998 Tekna, Inc 24
Example IDL
module mPartner{interface iCustomer{
exception iCustomerException{string reason;
};
string getCustomerName(in long customerNumber)raises (iCustomerException);
void setCustomername(in string customerName)raises (iCustomerException);
};};
6/16/98 copyright 1998 Tekna, Inc 26
Object Request Broker
iSalesOrder
iCustomeriSalesDB
iClientApp
ORB
• Facilitates connections between objects• Accepts requests to use objects, locates those objects andfacilitates the connection to them.• A facilitator, NOT a mediator! Does not mediate connectionsonce they are established.
6/16/98 copyright 1998 Tekna, Inc 27
Interfaces to the ORB
ObjectAdapter
ORBInterface
ORB Core
DynamicInvocationInterface
IDLStub
6/16/98 copyright 1998 Tekna, Inc 28
Internet Inter-ORB Protocol
Object Request Broker
IDL
CORBA Architecture
6/16/98 copyright 1998 Tekna, Inc 29
Internet Inter-ORB Protocol
iSalesOrder
iCustomeriSalesDB
iClientApp
ORB ORB
Allows components and ORBs to communicate over a TCP/IP wire protocol
6/16/98 copyright 1998 Tekna, Inc 30
IIOP Factoids•A special case of GIOP, the General Inter-ORBProtocol. The GIOP can be mapped onto anyconnection oriented transport layer.
•Uses Interoperable Object References (IOR’s)to bridge requests between ORB’s. These arebasically platform independent data structures.
•Has become ubiquitous, even being used forintra-ORB communications. “The de-facto ORBcommunication protocol.”
6/16/98 copyright 1998 Tekna, Inc 31
CORBA Architecture
Object Request Broker
Internet Inter-ORB Protocol
CORBA ServicesIDL
6/16/98 copyright 1998 Tekna, Inc 32
CORBA ServicesProvide a definition of infra-structure functionality for CORBAbased systems to insulate the developer from some details ofimplementing a CORBA application. Examples;
Object NamingTransaction ControlPersistence of DataEvent NotificationConcurrency (Object locking)
Security
6/16/98 copyright 1998 Tekna, Inc 33
The CORBA Security Service
•Defined by the OMG in Chapter 15 of the CORBAservices white paper.
•Covers all aspects of security and defines theimplementation details for each aspect.
•Based on KERBEROS, the DCE security model.
•Not all-encompassing (Read Appendix E,Guidelines to a trustworthy system)
6/16/98 copyright 1998 Tekna, Inc 34
Aspects of Security• Confidentiality - Information is disclosed only to usersauthorized to access it.• Integrity - Information is modified only by users whohave the right to do so, and only in authorized ways. It istransferred only between intended users and in intendedways.• Accountability - Users are accountable for theirsecurity-relevant actions. A particular case of this is non-repudiation, where responsibility for an action cannot bedenied.• Availability - Use of the system cannot be maliciouslydenied to authorized users.
6/16/98 copyright 1998 Tekna, Inc 35
Perceived Threats• An authorized user of the system gaining access to information thatshould be hidden from him.• A user masquerading as someone else, and so obtaining access towhatever that user is authorized to do, so that actions are being attributedto the wrong person.• In a distributed system, a user may delegate his rights to other objects,so they can act on his behalf. This adds the threat of rights beingdelegated too widely, again causing a threat of unauthorized access.• Security controls being bypassed.• Eavesdropping on a communication line, so gaining access toconfidential data.• Tampering with communication between objects - modifying, insertingand deleting items.• Lack of accountability due, for example, to inadequate identification ofusers.
6/16/98 copyright 1998 Tekna, Inc 36
Key Features
•Identification and authentication of principals (human users andobjects which need to operate under their own rights) to verify they are who theyclaim to be.
•Authorization and access control - deciding whether a principal canaccess an object, normally using the identity and/or other privilege attributes of theprincipal (such as role, groups, security clearance) and the control attributes of thetarget object (stating which principals, or principals with which attributes) can accessit.
•Security auditing to make users accountable for their security related actions.It is normally the human user who should be accountable. Auditing mechanismsshould be able to identify the user correctly, even after a chain of calls through manyobjects.
6/16/98 copyright 1998 Tekna, Inc 37
Key Features (continued)•Security of communication between objects, which is often over insecurelower layer communications. This requires trust to be established between the client andtarget, which may require authentication of clients to targets and authenticationof targets to clients. It also requires integrity protection and (optionally)confidentiality protection of messages in transit between objects.
•Non-repudiation provides irrefutable evidence of actions such as proof of originof data to the recipient, or proof of receipt of data to the sender to protect againstsubsequent attempts to falsely deny the receiving or sending of the data.
•Administration of security information (for example, security policy) is alsoneeded.
6/16/98 copyright 1998 Tekna, Inc 38
Security model entities
Principal
A principal is a human user or system entity that is registered in andauthentic to the system. Initiating principals are the ones that initiateactivities. An initiating principal may be authenticated in a number ofways, the most common of which for human users is a password. Forsystems entities, the authentication information such as its long-termkey, needs to be associated with the object.
6/16/98 copyright 1998 Tekna, Inc 39
Security model entities
Principal
Credentials
has; delegates
Credentials include:•Unathenticated or Public attributes•Authenticated Attributes:
•identity attributes•privilege attributes
6/16/98 copyright 1998 Tekna, Inc 40
Security model entities
PrincipalIssuesaccepts Invocations
An invocation may involve:• Establishing a security association between the client and target object so thateach has the required trust that the other is who it claims to be. In manyimplementations, associations will normally persist for many interactions, not just asingle invocation. (Within some environments, the trust may be achieved by localmeans, without use of authentication and cryptography.)• Deciding whether this client (acting for this principal) can perform this operationon this object according to the access control policy• Auditing this invocation if required• Protecting the request and response from modification or eavesdropping intransit, according to the specified quality of protection.
6/16/98 copyright 1998 Tekna, Inc 41
Security model entities
Principal
Audits
performs
Audits may be performed by:• The client principal• The target principal• Any intermediate component• The distribution mechanism itself(during invocation)
6/16/98 copyright 1998 Tekna, Inc 42
A closer look at...
• Delegation• Non-repudiation• Domains• Auditing
6/16/98 copyright 1998 Tekna, Inc 43
Delegation model
Principal Invocation Intermediary
Invocation
TargetInvocation
Invocation
Invocation
Intermediary Target
Target
Each intermediary isdelegated the credentialsof the invoking principal untilthe final target components areinvoked.
6/16/98 copyright 1998 Tekna, Inc 44
Types of Delegation1. No Delegation
Client Invocation Intermediary TargetInvocation
Client Credentials Intermediary Credentials
The client permits the intermediary to use its privileges for accesscontrol decisions, but does not permit them to be delegated, so theintermediary component cannot use these privileges when invoking the nextcomponent in the chain.
6/16/98 copyright 1998 Tekna, Inc 45
Types of Delegation2. Simple Delegation
Client Invocation Intermediary TargetInvocation
Client Credentials
The client permits the intermediate to assume its privileges, both using themfor access control decisions and delegating them to other others. The targetobject receives only the client's privileges, and does not know who theintermediate is.
Client Credentials
6/16/98 copyright 1998 Tekna, Inc 46
Types of Delegation3. Composite Delegation
Client Invocation Intermediary TargetInvocation
Client Credentials
The client permits the intermediary component to use its credentials anddelegate them. Both the client privileges and the immediate invoker’s privilegesare passed to the target, so that both the client privileges and the privilegesfrom the immediate source of the invocation can be individually checked.
Client CredentialsIntermediary Credentials
6/16/98 copyright 1998 Tekna, Inc 47
Types of Delegation3. Combined Delegation
Client Invocation Intermediary TargetInvocation
Client Credentials
The client permits the intermediate object to use its privileges. Theintermediate converts these privileges into credentials and combines them withits own credentials. In that case, the target cannot distinguish which privilegescome from which principal.
Composite Credentials
6/16/98 copyright 1998 Tekna, Inc 48
Types of Delegation4. Traced Delegation
Client Invocation Int TargetInvocation
Client Credentials
The client permits the intermediary components to use its privileges anddelegate them. However, at each intermediate component in the chain, theintermediate's privileges are added to privileges propagated to provide a traceof the delegates in the chain.
Chain of Credentials
Int
6/16/98 copyright 1998 Tekna, Inc 49
Non-repudiation model
Principal Principal
Evidencegeneration
andverification
Evidencestorage and
retrieval
Deliveryagent
Adjudicator
Dispute / Judgement
6/16/98 copyright 1998 Tekna, Inc 50
Non-repudiation services
• Generation of evidence of an action.• Verification of evidence of an action.• Generation of a request for evidence relatedto a message sent to a recipient.• Receipt of a request for evidence related to amessage received.• Analysis of details of evidence of an action.• Collection of the evidence required for longterm storage. In this case, more completeevidence may be needed.
6/16/98 copyright 1998 Tekna, Inc 51
Domain ModelConceptual Domain
A distinct scope, within which certain common characteristics are exhibitedand common rules observed.
6/16/98 copyright 1998 Tekna, Inc 53
Domain Types
•Security policy domain - The scope over which a securitypolicy is enforced. There may be subdomains for different aspectsof this policy.
•Security environment domain - The scope over which theenforcement of a policy may be achieved by some means local tothat environment, so does not need to be enforced within theobject system. For example, messages will often not needcryptographic protection to achieve the required integrity whenbeing transferred between objects in the same machine.
•Security technology domain - Where common securitymechanisms are used to enforce the policies.
6/16/98 copyright 1998 Tekna, Inc 54
Auditing Model
Initiator Target
Application Audit Application Audit
ORB
Invocation, access control, security, etc. Audits
Request Request
6/16/98 copyright 1998 Tekna, Inc 55
Auditing Factoids• Audit policies are used to restrict what typesof events to audit under which circumstancesto reduce audit record sizes.• System audit policies are enforcedautomatically for all applications, even securityunaware ones.• Events can either be recorded on audit trailsfor later analysis or, if they are deemed to beserious, alarms can be sent to anadministrator.• Application audit trails may be separate fromsystem ones.
6/16/98 copyright 1998 Tekna, Inc 56
Security Technology Components
Security implementation
Application Components
ORB
Security ServiceComponents
6/16/98 copyright 1998 Tekna, Inc 57
Security Interface
• Via function calls to the security serviceinterface• Interface and type definitions are fully defined inthe OMG standard• Interface is implementation independent,allowing multiple technology implementations toco-exist, even in the same environment
6/16/98 copyright 1998 Tekna, Inc 60
Bibliography
CORBA standard white paper, Chp 15 - Security Services.November, 1996 version 1.0http://www.omg.org
The CERF CORBA FAQhttp://www.cerfnet.com/~mpcline/Corba-FAQ/index.html
CORBA on the WebRon Ben-NatanMcGraw-Hill ISBN 0-07-006724-4
6/16/98 copyright 1998 Tekna, Inc 61
Contact Information
Walt [email protected]
(804) 217-8888
Tekna4600 Cox Road, Suite 320
Glen Allen, VA 23060www.tekna.com