CS 603 CORBA Security April 3, 2002. Security Service: Overview Goals –Confidentiality...
-
Upload
ralph-cook -
Category
Documents
-
view
213 -
download
0
Transcript of CS 603 CORBA Security April 3, 2002. Security Service: Overview Goals –Confidentiality...
CS 603CORBA Security
April 3, 2002
Security Service: Overview
• Goals– Confidentiality– Integrity– Accountability– Availability
• Where– IDL for security
classes– Internal ORB checks– IIOP extensions for
inter-ORB security
Key (visible) Features
• Authentication– Is principal (user or object) who they claim to be?
• Authorization– Does a principal has the right to perform an operation?
• Auditing– Who is the source user (human) for an action?
• Communication– Ensure messages not corrupted and (optionally) not intercepted
• Non-repudiation– Irrefutable evidence that an action has been performed
• Administration– How do we define the policy?
Specific Goals
• Simple• Consistent• Scalable• Usable for end users• Usable for administrators• Usable for implementers• Flexible
– access control– Audit– functionality profiles
• Technology neutral
• Application portability• Interoperability
– different vendors– secure to non-secure– different domains– different technology
• Performance• Object-Oriented• Conform to regulations• Conform to standard
evaluation criteria
Security Packages• Main Packages (at least one
required)– Level 1: Applications unaware of
security– Level 2: Application control of
policy• Optional packages
– Non-repudiation• Replaceable packages
– ORB services: Intercepter interfaces (security external to ORB), or
– Security Service: Standard ORB interface
• Common Secure Interoperability– Level 0: Identity based policies
without delegation– Level 1: Identity with unrestricted
delegation– Level 2: Identity and privilege
policies, controlled delegation• SECIOP Interoperability package• Security Mechanism Packages
– SPKM protocol – CSI level 0 (basic public key)
– GSS Kerberos – CSI level 1– CSI-ECMA – CSI level 2
(SESAME)– SSL – CSI level 0
• SECIOP + DCE-CIOP interoperability
So how does it work?
• Credentials– Client obtains credentials giving principal’s security attributes
• Identity• Privilege: Groups, Roles, Capabilities, Clearances• Also Public (unauthenticated) credentials
– Credentials can selectively be attached to object reference
• Delegation– None – reference uses it’s own credentials– Simple – reference runs as principal– Combined – reference gets merge of self and principal– Composite – reference gets two sets of credentials (can trace)– Time restrictions on delegation
Responsibilities
• Enterprise manager– Type of access control policy– Level of auditing– Level of protection
• End user• Application Developer• Administrator
– Domain administration, user creation, etc.
• Object system implementer– Install ORBs/services
Authentication
Invocation
Security-Unaware Object
Interfaces
• Level 1:– Current:get_attributes – get credentials of invoking principal
• Level 2:– PrincipalAuthenticator
• Credentials Authenticate()• _authentication() – for multi-step authentication
– Credentials• Set_security_features(), Get_security_features()
– Delegation allowed? Secure communication?
• Set_privileges() – Set group, role, clearance– Also identity: AuditId, AccountingId, NonRepudiationID
• Get_attributes() – given types, get values• Is_valid() – Is the credential timed-out?• Refresh() – renew timed-out credential
Interfaces(Level 2, continued)
• SecurityLevel2::Object (CORBA::Object)– Override_default_credentials() – Override_default_QOP() – communication– Get_security_features()– Get_active_credentials()
• Current – security aspects of a given call– Get_attributes() (Security level 1)– Get_credentials()– Set_credentials()– Received_credentials– Received_security_features
Interfaces(Level 2, continued)
• AuditChannel– Audit_write() – write to log
• AuditDecision– Audit_needed()– Audit_channel
• AccessDecision– Access_allowed()
Security Domains
• Policy – common security policy– Hierarchichal– Federated– Domains for different
policies may overlap
• Environment – area with local enforcement
• Technology – same mechanisms
Non-Repudiation