Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 46 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
46
Dung lượng
302,56 KB
Nội dung
Figure 7.1 Basic client/server paradigm and RPC model. Keep in mind that the relationship between a client and server is always associated with a particular invocation. For example, in Figure 7.2, B acts as a server when it is invoked by A, and as a client when it invokes C. If B invokes C while processing the request from A, it demonstrates a request propagation—a request travels from A to B and then, possibly changed, to C. This is also referred to as an invocation chain, in which B acts as an intermediate, as opposed to C, a target. Invocation chains introduce new aspects to the security of distributed systems and make the security picture much more complex. If B invokes C while processing a request from A, several questions arise. First, should B use its own identity, and the accompanying attributes, when it calls C? Or should it use A’s, so that C believes it received a request from A? Credentials delegation takes different forms, from a very sim- ple impersonation, in which C does not even know that the request is actually from B, to very complex composite delegation, in which C knows the credentials of all the interme- diates through which the invocation was propagated. In the case of composite delega- tion, C’s access control and other security policies become significantly more complex to accommodate compound principals. Second, should A trust B to use A’s credentials to call others? Some middleware security models give A this level of control over whom B can call on behalf of A, which is known as constrained delegation. Some RPC models support “fire-and-forget” invocations—for example, in Figure 7.2, if B sends a request to C, and no response is sent back. One example is CORBA’s one-way functions, whereby the client does not expect any response from the server and is not even guaranteed that its request will be processed at all. This is also the case for the world of SOAP-based Web Services, where, if a method does not return any- thing, no response message is sent to the client. NOTE If you want to learn more about client/server computing, we recommend Client/Server Survival Guide, Third Edition, by Robert Orfali, Dan Harkey, and Jeri Edwards (Orfali 1999)—a fun-to-read and very comprehensive introductory book. Figure 7.2 Propagated and “fire-and-forget” invocations. B C request request response A B request response A Security of Infrastructures for Web Services 159 Security and the Object Paradigm CORBA, COM+, .NET, and J2EE are all object-based. These days, the computing world takes for granted that any modern computational technology—distributed or not—has inherent support for objects. For the purposes of this section, we assume that you have a good grasp of objects, and are familiar with terms such as “class,” “method,” “encap- sulation,” “polymorphism,” and “inheritance.” For a good book on the basics of objects, we recommend Taylor (1997). When you add objects to a client/server computing model, there are significant effects on the overall security infrastructure of your enterprise. Objects tend to be of fine granularity, that is, they encapsulate small amounts of data and provide diverse methods to manipulate that data. Object-based systems usually have many more objects of many different varieties, increasing the number of resources in your systems that you need to protect, compared to conventional, procedural systems. The number of resource-operation pairs also skyrockets even higher. An object-based security architecture must support large numbers of protected resources. Traditionally, this has been done via resource groupings. Objects are grouped, and policies are defined on those groups. Objects with similar names, or those that reside in the same location, should not be required to belong to the same group, since policies do not necessarily follow your application’s topology or naming organization. The same is true for objects to be assigned to the same group; name sim- ilarity and co-location should not be required for being governed by similar policies. There are also transient and short-lived objects, such as those implementing shop- ping carts in the ePortal example used throughout this book. Such objects are likely to be nameless and created without administrator’s control. Manually assigning transient objects to security policies would be unrealistic. In addition, object-based systems tend to have less rigid naming hierarchies, and the naming mechanism may allow an object to have more than one name. Also a concern is the object identity in some systems, in which two opaque object references may be reused by middleware, making it difficult to determine if the objects they point to are different or the same. Whatever middleware security architecture is in place, it must allow security administrators to define security policies without assuming that they know the name of every object in the system. Even if an object has more than one name, the same policy should be applied to it no matter what name is used. Of additional security concern is that the methods on objects are no longer limited to just two or three universal “read,” “write,” and “delete” operations. The methods could be very complex and potentially involve many diverse activities. Consequently, security administrators should not have to understand the semantics of the methods on objects to secure them. Due to encapsulation and other advanced techniques—such as dynamic binding and on-demand reincarnation of object implementations—that make large distributed systems scalable and simpler to design, it is difficult to understand which actual resources are manipulated behind an object interface. While the job of client develop- ers is simplified by using objects, the encapsulation makes it difficult to determine which security policies should govern access to which application objects. The security architecture of object-based systems must also have some mechanisms in place that help with this problem. 160 Chapter 7 Bob Blakley (1999) has a good introductory chapter on object security, which pro- vides some additional information on this topic. What All Middleware Security Is About The next sections will describe the four middleware security technologies individually, how they implement the security functionalities for client/server systems, and how they address the requirements specific to object-based systems. To unify this discus- sion, we treat every technology described as an instance of the same scheme. No mat- ter if it is .NET or Java, COM+ or CORBA, each middleware technology reduces to this one scheme, shown in Figure 7.3, which we put together to help you understand the general concepts. NOTE Because applications written for COM and COM+ have a lot in common, we will refer to COM and/or COM+ v1.0 as COM(+) when we do not need to distinguish between the two. In the list below, we explain the levels of the middleware stack as depicted in Figure 7.3: Client application. Makes RPC-like calls to the server. Because of the abstraction provided by the proxy of the server object, the client application does not have to be aware of any layers below the proxy. 2 Server application. Receives RPC calls, serves them, and returns replies. Application server. The runtime environment that provides important services to the critical high-performance and high-scale business applications. Its pres- ence in the stack distinguishes CORBA component model (CCM) from plain CORBA, COM+ from COM, and J2EE from Java 2 Platform, Standard Edition (J2SE). If you have ever tried to implement a business application using plain COM, Java, or CORBA, you are familiar with how much you need to do to man- age the object life cycle, engage in distributed transactions, and implement load balancing and fault tolerance. The application server layer handles those func- tions in CCM, COM+, and J2EE. Due to its complexity, the layer is often tightly integrated with the ORB and object adapters (defined below) and therefore comes bundled with them. Proxy. A local implementation of the remote server object on the client. It isolates the application from all the details and complexities of the RPC implementation by realizing syntactically the same interface as the object on the target. A proxy marshals requests to and unmarshals responses from the server, and could per- form some other housekeeping work. A client must have a proxy for each inter- face it uses on the server. Proxies are usually compiled out of the interface descriptions. These are interface definition language (IDL) files in COM(+) and Security of Infrastructures for Web Services 161 2 Technically, the application code has to perform some steps to initialize the middleware layer: via CoInitialize call and its friends in COM(+), and ORB.init() in CORBA. We omit such details to keep the discussion at the higher abstraction layer for now. CORBA, WSDL files in Web Services, files with Java interfaces extending EJBOb- ject in J2EE, and “remoted” class files in .NET. Skeleton. The server’s counterpart of the proxy. Also created from the interface definition, a skeleton performs marshaling/unmarshaling of the call parameters and return values, and hides specifics of the particular ORB implementation. Object adapter. Sits on top of the object request broker (ORB) and accepts requests on behalf of the server’s objects. It provides the runtime environment for instantiating server objects, passing requests to them, and assigning the object IDs, called object references. The object adapter also registers object imple- mentations with the ORB and, sometimes, with the implementation repository, so that the server objects can be discovered at run time. Not all middleware technologies (for example, COM(+)) distinguish object adapters from their ORBs, although the adapters are still there. Object request broker (ORB). Constitutes the core of the middleware layer and implements most of the plumbing, including composition of the messages given to the network layer for sending, determining where to send messages based on the object reference, establishing virtual (session) channels with other ORBs, and dispatching requests to the server objects. An ORB could be implemented just as a library (like most CORBA ORBs), or could be a set of system services (as in COM+). It cooperates with various services, such as naming, fault tolerance, transactions, and load balancing, to make the life of clients and servers easier. In this discussion, we concentrate on the security service. Security service. Often tightly integrated with the ORB, the service intercepts the client’s and server’s interactions to enforce various security policies. Some of them, such as access control, have request granularity and therefore are enforced by request security interceptors. Other policies, such as integrity and confidential- ity protection, are commonly enforced by message security interceptors. Security mechanism implementation. An implementation of generic network security technology such as Kerberos, NTLM, SSL, or IPSEC. By and large real- ized as a set of libraries, a security mechanism implementation generates session keys and performs authentication, encryption/decryption, data signing, and validation. OS and network layers. Perform their usual roles of transmitting the actual mes- sages between client and server. Figure 7.3 is an adequate abstraction of the middleware security, although it is not always completely accurate. For example, it shows all the elements in one elegant stack, whereas this is not the case in real situations; the ORB, security service, and secu- rity mechanism layers have a more complex interaction topology, and most elements in the figure interact with the OS. Some applications, due to their security require- ments, could also call the ORB security service and even the security mechanism directly. Nonetheless, keep this figure in mind when you read about the implementa- tion of client and server security services and the secure channels connecting them. The client and server security services and mechanisms, in cooperation with their ORBs, are the basis for three abstractions very useful for reasoning about distributed systems’ security: client security service, secure channel, and target security service. We will explain them next. 162 Chapter 7 Figure 7.3 Security stack of middleware-based distributed applications. Roles and Responsibilities of CSS, TSS, and Secure Channel The security structure of most distributed systems that are based on the client/server paradigm is composed of a client security service (CSS) and a target security service (TSS), which are connected by one or more secure channels. Their roles are based on the secu- rity requirements for client/server systems (discussed in the previous section, Security and the Client/Server Paradigm). As we discuss what’s expected from these three ele- ments, keep the generic scheme for middleware security from Figure 7.3 in mind. To enforce client security policies, a CSS should be able to establish and maintain secure channels with TSSs and enforce client-side trust, message confidentiality, and integrity, as well as delegation control and audit policies. To perform these tasks, a CSS relies on client application authentication to obtain the credentials used to represent the principal on behalf of whom requests on the server are made. To enforce trust and delegation control policies, a CSS also needs to authenticate the target. Once a CSS and TSS have authenticated each other, both can negotiate the level of channel protection. A secure channel is a useful abstraction that encompasses the functionality necessary for message confidentiality, integrity, and authenticity protection. To retain a channel’s state, CSS and TSS must establish and maintain a security association. The security association establishes the trust in each party’s credentials and creates the security con- text that will be used when protecting requests and responses in transit between the client and the target. Client Application Proxy ORB Security Mechanism Implementation Security Mechanism Implementation Network RPC Abstration OS Server Application Application Server Skeleton Adapter ORB Security Service Security Service Network OS Middleware Security Actual messages Security of Infrastructures for Web Services 163 TSS responsibilities are similar to those of a CSS and have an additional obligation to enforce access control and, possibly, nonrepudiation policies. Although CORBA, COM+, .NET, and J2EE all have different security architectures, they implement the roles and responsibilities of CSS, TSS, and secure channel in simi- lar ways. We describe these common security functions in the following section. How Middleware Systems Implement Security The main distributed security functionalities are: ■■ Authentication ■■ Message protection ■■ Access control ■■ Audit ■■ Delegation ■■ Trust ■■ Administration of all the above Even though some of these functions are more critical than others, it is important to employ all of them to implement a complete security solution for your system. Distributed Authentication Authentication is mainly used by middleware security services to verify the origins of incoming requests and responses. Acting on behalf of the principals, CSS and TSS first authenticate each other using the credentials of the principals (on behalf of which they participate in the exchange of application messages), generate a channel-specific ses- sion key, and use it to encrypt the traffic through the channel. Therefore, the messages comprising requests and responses received from the channel are authenticated by the virtue of being encrypted with the session key. Although, strictly speaking, there are multiple principals involved on each side (the channel, the host, the OS, the ORB, the application, and the user—if any—using the application) and there are even theories of principal calculus (Abadi 1991; Lampson 1991), in practice, those who use the corre- sponding entities assume that everything but the applications and their users can be trusted. This assumption, though not always justifiable, allows significant simplifica- tions of the administration of access control and other policies that rely on authentica- tion, and of the authentication protocols themselves. Authentication Protocols Authentication in a distributed system environment is performed using an authentica- tion protocol, which consists of cryptographic computations and a message exchange protocol. All authentication protocols can be classified according to the cryptosystem 164 Chapter 7 they use. Since most popular cryptosystems today are either symmetric (secret key only) or asymmetric (private and public keys), the authentication protocols also fall in one of the two groups. We described symmetric and asymmetric authentication proto- cols in detail in Chapter 3, “Getting Started with Web Services Security.” NOTE Surprisingly, the authentication of most of today’s commercially distributed systems still relies on sending a plain username and password to the server, possibly using secure channels or hashing the password with a digest algorithm. To perform authentication, a CSS and TSS first need to determine the authentication protocol to be used. The next section briefly describes available methods. Choosing an Authentication Protocol There are commonly two ways to determine which protocol and its parameters should be used for authenticating a CSS and TSS to each other. One way is for the TSS to advertise the protocols it wants to use. The other is to employ a special negotiation phase when establishing a secure channel. A customary place for the information about supported authentication protocols is the target’s object reference. Despite being inherently insecure, an object reference is considered an adequate solution for most systems. NOTE Those security service implementations that employ the Simple Authentication and Security Layer (SASL) protocol (IETF 1997b) specify the type of authentication mechanism they support. This means that the client and server can be configured to negotiate and use one of the standard or customized mechanisms for authentication, depending on the level of protection desired by the client and the server. SASL supports the Generic Security Service (GSS) API, which is a popular programming interface that supports many different authentication protocols. Another method of negotiating a GSS-API-based authentication protocol is to use Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) (IETF 1998). This standard negotiation protocol enables GSS-API peers to determine in-band whether their credentials share common GSS-API security mechanism(s), and, if so, to invoke normal security context establishment for the selected mechanism. The protocol allows negotiating different security mechanisms, different options within a given security mechanism, or different options from several security mechanisms. Once identified, the security mechanism may also negotiate mechanism-specific options during its context establishment. Security of Infrastructures for Web Services 165 Message Protection Once CSS and TSS authenticate each other, they can establish a shared secret session key to be used for verifying message origin authenticity and protecting the integrity and confidentiality of the messages. Using the same principle as in the symmetric key authentication protocols, the sender encrypts the message and the receiver decrypts it with the session key generated as a result of their mutual authentication and known only to them. This ensures that the message was sent by the other peer, a property known as message origin authenticity. Encrypting messages using the session key also provides message confidentiality pro- tection (secrecy). Message integrity is commonly protected by tagging a key-dependent message authentication code (MAC) onto a message before it is sent. Upon receipt, the MAC is recomputed and compared with the one attached to determine if the message has been altered in transit. All three protections do not have to be enforced on all messages flowing between a CSS and TSS. Some objects on a TSS might not require protection for the messages comprising requests and responses for those objects. Some might require only message authenticity. Message protection enforced on each side is governed by the correspond- ing policies. Who defines those policies depends on the capabilities of a particular mid- dleware security technology. Generally speaking, there are several stakeholders who define message protection policies: object owners, system owners, and principals (users). Object owners decide what protection they need for the information supplied to and sent back from the methods on their objects. System owners mandate the pro- tection policy for the messages flowing back and forth from their systems. Principals interacting with remote objects decide what is an acceptable protection level for the information they send to and receive from the servers. Therefore a CSS and TSS need to determine message protection policies for each stakeholder and determine the level that satisfies all parties. In this and the previous sections, we discussed CSS and TSS authentication and pro- tection of the messages flowing between them. The next important element of secure middleware-based computing is controlling access to the server objects. Distributed Access Control Access control in middleware consists of two functions: (1) the TSS making an access decision and (2) enforcing it. See Figure 7.4. The enforcement part is fairly easy since the ORB gives the TSS an opportunity to intercept an invocation and enforce the poli- cies. The hard part here is the access control decision (authorization). Authorizations are challenging because they have to be quick to reduce security-related overhead, but depending on the authorization policies and the number of objects in the application system, the decision process can be quite complex. First, we need to figure out what policies should govern authorization decisions for the request in question. Since the policies are needed for message protection, auditing, and other security functionalities, this task is not as trivial as it might sound. The rea- son is that objects are often organized into groups, each protected by a distinct policy, to achieve scalability in middleware object-based systems. The groups are then orga- nized in complex relations so that large numbers of objects with similar security requirements can be governed by a few base policies. Policies for objects with peculiar 166 Chapter 7 requirements could be obtained through some composition of the policies according to the group relations. An example of such relations is the use of hierarchies, where each node is associated with a policy and leaves in the hierarchy are objects “hanging off” the nodes. This object hierarchy approach allows you to impose base policies near the hierarchy root and to fine-tune the protection of some objects located down the tree. A simple example illustrating object hierarchies is shown in Figure 7.5. Besides the difficulty of determining policies due to the scale, as you remember from the section on the object paradigm, some objects may have many names and some may be anonymous, making it difficult to identify what group(s) they belong to. Addition- ally, object encapsulation and method semantic complexity make objects and their methods opaque to the outside world (at least to the poor security administrators), which then means that an extra level of indirection is required to compute those attrib- utes of objects and methods that can be used for calculating applicable policies. Every middleware security technology described in this chapter categorizes methods into related groups in some way. We will discuss the techniques for determining object group membership and method categorization for each technology. Then, various policies governing access to the object’s method might have to be composed into one “ultimate” policy that is evaluated to come up with a final access decision. The composition may not be trivial since the policies could contradict each other, with one policy granting and the other denying access. Consequently a “metapolicy”, which is a policy about composing policies, is required to resolve the conflicts. How a resulting policy is computed depends on the semantics of the relation and varies from technology to technology. For some, more specific policies take higher priority. For others, all policies are compiled into a list and those at the top of the list take precedence over later ones. There are other strategies as well. Figure 7.4 Access control is a combination of decision and enforcement functions. Middleware Target Security Service Decision Request Access Request Decision Target Application Access Request Enforcement Function Decision Function Security of Infrastructures for Web Services 167 Figure 7.5 Sample hierarchy of object groups. Most practical security policies consist of statements that either grant or deny access. The statements usually contain references to one or more of the following: ■■ Subject attributes such as groups, identity, roles, and clearance, age, location ■■ Resource attributes such as name, the owner identity, security label, location ■■ Operation on the resource ■■ Environmental information such as time of day, day of week, global state (for example, emergency, under terrorist attack) ■■ History information, such as how many times the principal has accessed the resource before ■■ Request information, such as the level of the channel protection through which the request came and through which the response will be sent back ■■ Obligations that specify additional conditions to be satisfied before access is granted, such as an agreement to be signed by the end user, auditing the trans- action, or availability of funds. Policy A Policy B Policy C Group B Group C Group D Group A Object F Object G Object J Object H Policy D 168 Chapter 7 [...]... for generating and checking evidence of claimed events Replaceability of security services Allows replacement of security services that are enforced by the ORB Security services Standard set of object security interfaces ORB services Low-level interceptor interface within the ORB to extend beyond security Security ready The ORB has security interfaces, but no implementation; designed for future extensions... (responsibility) Security of Infrastructures for Web Services from one person to another The second is the delegation of credentials in a security context from one application to another Delegation of privileges from one person to another is a common security requirement, but it is not itself a security service Delegation of credentials in a security context, which is the focus of this section, is a security. .. Unlike most other middleware security technologies, CORBA objects residing on different Security of Infrastructures for Web Services computers can belong to the same domains, because CORBA security policy domains span multiple computers, and therefore can be governed by the same security policies Enforcing Fine-Grained Security There are several interfaces available to security- aware applications for... The CORBA security specification (CORBASec) defines a framework for providing security services to applications via the CORBA object request broker (ORB) The security service is one of several Common Object Services defined as part of the CORBA standard CORBASec defines two conformance levels for ORB security Any product compliant with CORBASec must support Level 1 or both Level 1 and Level 2: Security. .. to keep a Security of Infrastructures for Web Services variety of security policies consistent if the only way to configure them is on an objectby-object or some other small-scale basis Therefore, the means of administering the security of your distributed applications should scale with the number of resources, the number of users, and the number of resource locations A common way to achieve security. .. its security functionality can fit into a Web Services security architecture How CORBA Works CORBA technology, including the CORBA security service, defines a general-purpose language and OS-independent infrastructure for developing and deploying distributed object-based systems in a broad range of specialized application domains Application systems and the CORBA infrastructure, including the security. .. protection Once the security context is safely established between the CSS and the TSS using CSIv2, it is used on the server to protect target objects In the next sections, we will explain how CSS and TSS responsibilities are fulfilled via security mechanisms implemented by the CORBA security service Implementation of Security Functions Similar to other middleware security technologies, security policies... for Web Services Level 1 ■ ■ Support security- unaware applications ■ ■ Have ORB-enforced authentication, secure invocation, authorization, and auditing ■ ■ Perform simple delegation Level 2 ■ ■ Support security- aware applications ■ ■ Have the ability to select quality of protection, change credentials, select delegation options, and use audit services ■ ■ Support administration interfaces using security. .. Secure Web Services Architecture.” As you can see, there are many ways of supporting security policies that protect fine-grained application-specific resources Depending on the capabilities of your middleware security, you may be in a position to employ some of them In addition to describing CORBA, COM+, NET, and EJB in the next few sections, we will explain how these technologies support fine-grained security. .. key role in both middleware and Web Services security, we devote a significant amount of material to the subject in this chapter and several others Distributed Auditing For any distributed computer system, the purpose of security auditing is to provide support for: Accountability their actions That is, holding users of a distributed system accountable for Detection of security policy violations That . events Replaceability of security services. Allows replacement of security services that are enforced by the ORB Security services. Standard set of object security interfaces ORB services. Low-level interceptor. approach still keeps your application from being security- aware, Security of Infrastructures for Web Services 1 75 although it requires the middleware security to be capable of using your custom autho- rization. capability, used by applications and middleware to record Security of Infrastructures for Web Services 169 security- relevant events. These services are provided via component-specific inter- faces