CS 603CORBA Security

April 3, 2002

Security Service: Overview

• Goals– Confidentiality– Integrity– Accountability– Availability

• Where– IDL for security

classes– Internal ORB checks– IIOP extensions for

inter-ORB security

Key (visible) Features

• Authentication– Is principal (user or object) who they claim to be?

• Authorization– Does a principal has the right to perform an operation?

• Auditing– Who is the source user (human) for an action?

• Communication– Ensure messages not corrupted and (optionally) not intercepted

• Non-repudiation– Irrefutable evidence that an action has been performed

• Administration– How do we define the policy?

Specific Goals

• Simple• Consistent• Scalable• Usable for end users• Usable for administrators• Usable for implementers• Flexible

– access control– Audit– functionality profiles

• Technology neutral

• Application portability• Interoperability

– different vendors– secure to non-secure– different domains– different technology

• Performance• Object-Oriented• Conform to regulations• Conform to standard

evaluation criteria

Security Packages• Main Packages (at least one

required)– Level 1: Applications unaware of

security– Level 2: Application control of

policy• Optional packages

– Non-repudiation• Replaceable packages

– ORB services: Intercepter interfaces (security external to ORB), or

– Security Service: Standard ORB interface

• Common Secure Interoperability– Level 0: Identity based policies

without delegation– Level 1: Identity with unrestricted

delegation– Level 2: Identity and privilege

policies, controlled delegation• SECIOP Interoperability package• Security Mechanism Packages

– SPKM protocol – CSI level 0 (basic public key)

– GSS Kerberos – CSI level 1– CSI-ECMA – CSI level 2

(SESAME)– SSL – CSI level 0

• SECIOP + DCE-CIOP interoperability

So how does it work?

• Credentials– Client obtains credentials giving principal’s security attributes

• Identity• Privilege: Groups, Roles, Capabilities, Clearances• Also Public (unauthenticated) credentials

– Credentials can selectively be attached to object reference

• Delegation– None – reference uses it’s own credentials– Simple – reference runs as principal– Combined – reference gets merge of self and principal– Composite – reference gets two sets of credentials (can trace)– Time restrictions on delegation

Responsibilities

• Enterprise manager– Type of access control policy– Level of auditing– Level of protection

• End user• Application Developer• Administrator

– Domain administration, user creation, etc.

• Object system implementer– Install ORBs/services

Authentication

Invocation

Security-Unaware Object

Interfaces

• Level 1:– Current:get_attributes – get credentials of invoking principal

• Level 2:– PrincipalAuthenticator

• Credentials Authenticate()• _authentication() – for multi-step authentication

– Credentials• Set_security_features(), Get_security_features()

– Delegation allowed? Secure communication?

• Set_privileges() – Set group, role, clearance– Also identity: AuditId, AccountingId, NonRepudiationID

• Get_attributes() – given types, get values• Is_valid() – Is the credential timed-out?• Refresh() – renew timed-out credential

Interfaces(Level 2, continued)

• SecurityLevel2::Object (CORBA::Object)– Override_default_credentials() – Override_default_QOP() – communication– Get_security_features()– Get_active_credentials()

• Current – security aspects of a given call– Get_attributes() (Security level 1)– Get_credentials()– Set_credentials()– Received_credentials– Received_security_features

Interfaces(Level 2, continued)

• AuditChannel– Audit_write() – write to log

• AuditDecision– Audit_needed()– Audit_channel

• AccessDecision– Access_allowed()

Security Domains

• Policy – common security policy– Hierarchichal– Federated– Domains for different

policies may overlap

• Environment – area with local enforcement

• Technology – same mechanisms

Non-Repudiation