E138
This presentation is the property of its rightful owner.
Sponsored Links
1 / 76

E138 Tightening up EAServer Security PowerPoint PPT Presentation


  • 88 Views
  • Uploaded on
  • Presentation posted in: General

E138 Tightening up EAServer Security. Markus Ohly Sybase European CS&S [email protected] Tightening up EAServer Security. AGENDA Security Concerns and Risks Security Techniques Applying Security Techniques to EAServer. Tightening up EAServer Security. AGENDA

Download Presentation

E138 Tightening up EAServer Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


E138 tightening up easerver security

E138Tightening up EAServer Security

  • Markus Ohly

    Sybase European CS&S

    [email protected]


Tightening up easerver security

Tightening up EAServer Security

AGENDA

  • Security Concerns and Risks

  • Security Techniques

  • Applying Security Techniques to EAServer


Tightening up easerver security1

Tightening up EAServer Security

AGENDA

  • Security Concerns and Risks

    • Introduction

    • Fighting against Risks and Dangers

  • Security Techniques

  • Applying Security Techniques to EAServer


Security concerns and risks

C++

Security Concerns and Risks


Security concerns and risks1

Security Concerns and Risks

  • Disclosure of confidential information (Eavesdropping)

  • Modification, Deletion, Reuse of data (Data tampering)

  • Misuse of protected resources

  • Misuse that compromises availability

  • Masquerading, Misrepresentation and Repudiation

  • Sender claims that he did not send a message

  • Repetition of original messages

  • Compromised Privacy, Integrity, and Accountability


Security concerns and risks2

Security Concerns and Risks

Fighting against Risks and Dangers

  • Your company is in danger when computing resources fail, are unavailable, or compromised.

  • Not all of the threats can be easily eliminated (if at all)

  • Reduce exposure to an acceptable level

  • Use Security Means


Security concerns and risks3

Security Concerns and Risks

Fighting against Risks and Dangers

  • Authentication

  • Mechanism by which callers and servers prove to one another that they are acting on behalf of specific users

  • A component acting as an intermediary in a call chain may impersonate the user the originating user or have its own identity.

  • Normally, Authentication builds the basis for Authorization


Security concerns and risks4

Security Concerns and Risks

Fighting against Risks and Dangers

  • Authorization

  • Authorization mechanisms limit usage of resources to users, groups, or systems for the purpose of enforcing integrity, confidentiality, or availability constraints.

  • Protected Resources are distinguished by the presence of authorization rules that grant access only to authentic caller identities


Security concerns and risks5

Security Concerns and Risks

Fighting against Risks and Dangers

  • Networe Architecture

    • Firewalls

    • DMZs

    • Proxies

  • Auditing

  • Public Key Cryptography

    • Encryption

    • Digital Signatures


Tightening up easerver security2

Tightening up EAServer Security

AGENDA

  • Security Concerns and Risks

  • Security Techniques

    • What is Encryption ?

    • What are Certificates ?

    • What are Digital Signatures ?

    • What is SSL ?

  • Applying Security Techniques to EAServer


What is encryption

What is Encryption ?

  • A Mathematical Domain allowing to scramble data to keep it safe from external "eyes” and thus ensures a high level of security

  • Two major types of cryptographic algorithms exist:

    • Symmetric encryption (secret key cryptography)

    • Asymmetric encryption (public key cryptography)


What is encryption1

What is Encryption ?

Secret Key Cryptography


What is encryption2

What is Encryption ?

Secret Key Cryptography

  • Algorithms: DES, Triple-DES, RC2, RC4, RC5

  • Advantage: Fast and efficient

  • Problem: Key exchange

    • The keys must be shared by both end points

    • How to keep the shared key secret ?


What is encryption3

What is Encryption ?

Public Key Cryptography

  • Solution to the key exchange problem

    • Diffie, Hellman (1976)

    • Rivest, Shamir, Adleman (1978)

  • Public key encryption is based upon a key pair

    • public key and private key

  • It is VERY VERY difficult to compute the private key from the known public key


What is encryption4

What is Encryption ?

Public Key Cryptography

  • Public and private keys are inverse and can be applied in two directions

  • Encryption Equation:

    • D(private, E(public, m)) = m

  • Authenticity Equation:

    • D(public, E(private, m)) = m


What is encryption5

What is Encryption ?

Public Key Cryptography


What is encryption6

What is Encryption ?

Public Key Cryptography

  • D(private, E(public, m)) = m (Encryption Equation)

  • Everyone can send secret messages to a person using the public key of the addressee

  • Arbitrary individuals cannot decrypt messages encrypted with a public key because they do not know and cannot compute the private key

  • Only a person having the matching private key can decrypt the message


What is encryption7

What is Encryption ?

Public Key Cryptography

  • Advantage: No secret key exchange, only public keys are exchanged

  • Disadvantages:

    • CPU intensive (factor 100 to DES in Software)

    • Performance hit on busy site with lots of connections

  • Known algorithms: RSA (Rivest, Shamir, Adleman)


What are digital signatures

What are Digital Signatures ?

  • Authenticity Equation:

    • D(public, E(private, m)) = m

  • Using the private key for encryption can only be done by the key owner

  • Everybody can read the message but nobody is able to change it

  • Messages with digital signatures are authentic


What are digital signatures1

What are Digital Signatures ?

  • How to digitally sign a document ?

    • Compute a Message Digest of fixed length by applying a Hash Function to the document

    • Authenticate the Message Digest, that is encrypt the Message Digest with your private key

  • How to verify a Digital Signature ?

    • Apply the Hash Function to the received text

    • Decrypt the provided Digest using the public key

    • Authenticity is prooved if both results match


What are digital signatures2

What are Digital Signatures ?

Hash Functions

  • A Hash Function is an efficient transformation of an arbitrary message to a hash value of fixed length

  • The hash value is much smaller than the original input

  • Additionally, it is difficult to reverse a hash function (hash functions are one way)

  • collision freeness: it is very difficult to find two messages resulting in the same hash value.

  • Examples: MD5, SHA


What are digital signatures3

What are Digital Signatures ?


What are digital signatures4

What are Digital Signatures ?


What are certificates

What are Certificates ?

  • How to assure keys and entities match?

  • We demand certification !

  • Certificates give us the guarantee that the mentioned entity and the public key do in fact belong together, they bind the identity of a person to his public key.

  • The pair of identity and public key is digitally signed

  • Certificates are issued by Certificate Authorities after a rigorous check

  • Trust to the certificate is implied by trust to the Certificate Authority.


What are certificates1

Public Key

of the Client

Public Key

of the Server

What are Certificates ?

Server

Server’s Private Key

CA’s Public Key

+

Client

Client’s Private Key

CA’s Public Key

+

Digitally Signed

Certificates


What are certificates2

What are Certificates ?

Non-Repudiation

  • The holder of a certificate cannot deny his authenticity nor refuse his engagements when he digitally signed a message with the secret key corresponding to the public key in his certificate


What is ssl

What is SSL ?

  • The Secure Sockets Layer (SSL) Protocol maintains security, privacy, and integrity of the transmission channel by using encryption, authentication and messageauthentication codes.

  • The SSL protocol is able to negotiate encryption keys as well as authenticatethe server before data is exchanged by the higher-level application.

  • It allowsapplications to communicate in a way that is designedto prevent eavesdropping, tampering, or messageforgery.

  • Invented by Netscape in 1996


What is ssl1

What is SSL ?

  • SSL is application protocol independent. A higher level protocol can layer on top of the SSL Protocol transparently.

  • Application protocol traffic is embedded into SSL and encrypted during transfer

  • IIOP + SSL = IIOPS

  • HTTP + SSL = HTTPS


What is ssl2

What is SSL ?


What is ssl3

What is SSL ?

  • The SSL Handshake Protocol consists of two phases.

  • During the “handshaking“ process, thepublic-key encryption is used.

  • After the exchange of keys, a number ofciphers are used, eg. RC2, RC4, IDEA, DES, and triple-DES

  • The MD5 message-digest algorithm is used.

  • The public-key certificates follow the X.509 syntax


What is ssl4

What is SSL ?

Server Authentication

  • The server, in response to a client's request, sends its certificate andits cipher preferences.

  • The client generates a master key, encrypts it with the server'spublic key, and sends the result to the server

  • The server recovers the masterkey and authenticates itself to the client by returning a message signed with the master key

  • Subsequent data is encrypted and authenticated with keys derived from this master key.


What is ssl5

What is SSL ?

Client Authentication (optional).

  • The server sends a challenge to the client.

  • The client authenticates itself to theserver by returning the client's digital signature on the challenge, as well as its public-key certificate.


Tightening up easerver security3

Tightening up EAServer Security

AGENDA

  • Security Concerns and Risks

  • Security Techniques

  • Using Security Means in EAServer

    • Listener Configuration

    • Set protection levels for components

    • Protect Server Resources

    • Secure Clients

    • Protect Data


Using security means in easerver

Using Security Means in EAServer

  • How to deal with Certificates and keys easily ?

  • Use a cryptographic module which is a loadable software plugin following the PKCS #11 standard

  • EAServer has a PKCS #11 module

    • Accessible from Security Manager

    • Accessible from Netscape


Using security means in easerver1

Using Security Means in EAServer

EAServer Security Manager


Using security means in easerver2

Using Security Means in EAServer

  • Netscape Communicator


Using security means in easerver3

Using Security Means in EAServer

Internet Explorer ...


Using security means in easerver4

Configure Listener Properties

Create a listener with protocol „https“ or „iiops“

Select a Security Profile.

Using Security Means in EAServer


Using security means in easerver5

Using Security Means in EAServer

Configure Listener Properties (ctd)

  • A security profile specifies the security characteristics:

    • Whether mutual authentication is required

    • Which Cipher Suite to use for the encrypted connection

    • Which certificate the server will send to the client – note that the site name and the certificate common name must match !


Using security means in easerver6

Using Security Means in EAServer

Security

Profile


Using security means in easerver7

Using Security Means in EAServer

Configure Listener Properties (ctd)

  • Important ! The Listener Properties must match the authentication and authorization requirements

    • When clients are required to send certificates for authentication, „_mutual_auth“ must be selected.

  • Relation to Authentication Service:

    • Precedence of Certificates over Username/Password

    • Combinations


Using security means in easerver8

Using Security Means in EAServer

Authentication for Web Applications

  • Authentication is set at Web Application level

  • Authentication Mechanisms supported by EAServer: BASIC, FORM, and HTTPS Mutual Authentication

    • BASIC and FORM authentication should be combined with encryption to protect the passwords

    • In order to work effectively, you must enable an Authentication Mechanism for EAServer, eg. OS Authentication or Authentication Service


Using security means in easerver9

Using Security Means in EAServer

Authentication for Web Applications

  • Login Config: Authentication = Client Certificate


Using security means in easerver10

Using Security Means in EAServer

Declarative Authorization

  • J2EE Declarative Authorization is based upon Roles which are logical privileges

  • Roles are assigned to Components to define the required privileges needed to access components

  • Roles may be attributed to (known) Certificates

  • Role Assignment to EJBs and WebResources can be defined during development but must be reviewed at deployment time.


Using security means in easerver11

Using Security Means in EAServer

Authorization with Certificates


Using security means in easerver12

Using Security Means in EAServer

Programmatic Authorization

  • Role Service

  • Alternatively, a custom Authorization Service


Using security means in easerver13

Using Security Means in EAServer

Servlet Request Attributes

  • javax.servlet.request.cipher-suite = SSL_RSA_EXPORT_WITH_RC4_40_MD5

  • javax.servlet.request.key-size = 40

  • javax.servlet.request.X509Certificate


Using security means in easerver14

Using Security Means in EAServer

Authorization for Web Applications

  • The Web Application Provider defines the Resources that have to be protected in form of Security Constraints

  • EAServer will control each access and ensure that protected resources are only accessed by authenticated and/or authorized users


Using security means in easerver15

Using Security Means in EAServer

Authorization for Web Applications

  • Security Constraint 0, Zone 0

    • Pattern = /Calculate

    • Role = WebAgent, WebSupervisor

    • Transport Guarantee = Confidential

  • Security Constraint 1, Zone 1

    • Pattern = /Calculate/Interest

    • Role = WebSupervisor

    • Transport Guarantee = Confidential


Using security means in easerver16

Using Security Means in EAServer

Authorization for Web Applications


Using security means in easerver17

Using Security Means in EAServer

Authorization for Web Applications


Using security means in easerver18

Using Security Means in EAServer

Declarative Security for EJBs

  • The EJB Tier must be protected as well because IIOP Listeners do expose them

  • Permissions are granted per Method using Roles

  • Roles may contain synthetic identities, eg. Everybody or Anonymous for unauthenticated users

  • For EJB 2.0, a Bean method without role assignment cannot be used by any caller !


Using security means in easerver19

Using Security Means in EAServer

Set protection levels for components

  • Packages, Components, and Methods can be configured to have a minimum quality of protection that a client connection must have for invocation

    • com.sybase.jaguar.package.qop

    • com.sybase.jaguar.component.qop

    • com.sybase.jaguar.method.qop


Using security means in easerver20

Using Security Means in EAServer

Set protection levels for components (ctd)

  • QOP settings may be

    • syb_osauth

    • syb_simple, syb_intl, syb_domestic, syb_strong

    • or the „_mutual_auth“ variant


Using security means in easerver21

Using Security Means in EAServer

Set protection levels for components (ctd)

  • Client QOP, Listener QOP, and Component QOP must be the same or compatible


Using security means in easerver22

Using Security Means in EAServer

Set protection levels for components (ctd)


Using security means in easerver23

Using Security Means in EAServer

Retrieving SSL Connection Information

  • EAServer passes an object of type CtsSecurity::Session Info to Authentication, Authorization and Role Services

  • long getAuthenticationStatus() - SSL relevant fields:

    • AUTH_SSL_SESSION - bit 0

    • AUTH_SSL_AUTHENTICATED - bit 1

  • CtsSecurity::SSLSessionInfo getSSLSessionInfo() - only when SSL is used !


Using security means in easerver24

Using Security Means in EAServer

Retrieving SSL Connection Information (ctd)

  • The SSLSessionInfo object provides access to

    • the client´s certificate

    • the server´s certificate

    • SSL session properties, eg. Host, Port, Cipher Suite, User Data, Entrust properties

  • See the Interface Repository for full documentation


Using security means in easerver25

Using Security Means in EAServer

Authorization

  • Take care that the Access Control Rules are consistent across all paths by which components may be accessed

  • It must be avoided that a less protected Method or Request can circumvene a more rigorously protected method specified by your Security Policy.


Using security means in easerver26

Using Security Means in EAServer

Clients

  • Applets use the SSL infrastucture of the browser

  • Java Applications, C++, PowerBuilder can use native SSL support

  • Common Prerequisite for Standalone Clients:

    • Jaguar Client: Certificate Store, Runtime Libraries

    • Libraries path must be in PATH

    • Environment Variable JAGUAR_CLIENT_ROOT


Using security means in easerver27

Using Security Means in EAServer

Clients

  • In order to establish an SSL Connection, a couple of parameters must be set:

    • PKCS #11 Token Pin

    • Quality of Protection

    • Certificate Label for Mutual Authentication

  • The parameters must be passed to ORB.init()

  • Alternatively, user the SSLServiceProvider


Using security means in easerver28

Using Security Means in EAServer

Securing C++ Clients

  • char *orb_args[] = {"-ORBpin", "sybase", "-ORBqop", "sybpks_intl_mutual_auth", "-ORBcertLabel", “Markus_1" };

  • CORBA::ORB_var orb = CORBA::ORB_init(6, orb_args, 0);

  • SessionManager::Manager_var manager = SessionManager::Manager::_narrow( orb->string_to_object("iiops://localhost:9002"));


Using security means in easerver29

Using Security Means in EAServer

Securing PB Clients

String ls_init

ls_init =

«  ORBNameServiceURL='iiop://HOST:9002', ORBqop=sybpks_intl_mutual_auth, ORBpin=sybase, ORBcertificateLabel=’Markus_1’ »

ORB.init (ls_init)


Using security means in easerver30

Using Security Means in EAServer

Securing Java Clients

  • Properties p = new Properties()

  • p.put("org.omg.CORBA.ORBClass", „...CORBA.ORB")

  • p.put("com.sybase.CORBA.pin", "sybase")

  • p.put("com.sybase.CORBA.qop","qop")

  • p.put("com.sybase.CORBA.certificateLabel",“Markus_1")

  • ORB orb = ORB.init((String[])null, p);

  • Manager manager = ManagerHelper.narrow(orb.string_to_object(„iiops://host:9002“));


Using security means in easerver31

Using Security Means in EAServer

JNDI based Clients

  • Properties props = new Properties();

  • props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sybase.ejb.InitialContextFactory");

  • props.put(Context.SECURITY_PRINCIPAL, "jagadmin");

  • props.put(Context.SECURITY_CREDENTIALS, "");


Using security means in easerver32

Using Security Means in EAServer

JNDI based Clients (ctd)

  • props.put(Context.PROVIDER_URL, "iiops://localhost:9001");

  • props.put("com.sybase.ejb.pin", "sybase");

  • props.put("com.sybase.ejb.qop", "sybpks_intl");

  • props.put("com.sybase.ejb.certificateLabel",“Markus_1")

  • InitialContext ic = new InitialContext(props);

  • CalcHome home = (CalcHome)ic.lookup("Calculator");

  • Calc calc = home.create();


Using security means in easerver33

Using Security Means in EAServer

SSLServiceProvider

  • import CtsSecurity.*;

  • SSLServiceProvider prov;

  • prov = SSLServiceProviderHelper.narrow(orb.resolve_initial_references("SSLServiceProvider"));

  • prov.setGlobalProperty("qop", "sybpks_intl")

  • prov.setGlobalProperty("callbackImpl","SSLCallback")


Using security means in easerver34

Using Security Means in EAServer

SSLServiceProvider

  • The callback class SSLCallback must implement CtsSecurity.SSLCallbackIntf

    • getPin ()

    • getCertificateLabel ()

    • trustVerify ()

    • getCredentialAttribute ()

  • The ORB invokes callback methods when required information is missing or incorrect.


Using security means in easerver35

Using Security Means in EAServer

Retrieving SSL Connection Information

  • Clients and Components can retrieve detailed information on the security characteristics of a connection

  • Client code narrows the object reference to CtsSecurity::SesssionInfo

  • A component inside the server instantiates a pseudo reference to CtsSecurity::SesssionInfo


Using security means in easerver36

Using Security Means in EAServer

Retrieving SSL Connection Information

  • If SSL is enabled, you can get a SSLSessionInfo object by calling SessionInfo.getSSLSessionInfo()

  • The SSLSessionInfo provides access to the client certificate and allows to inspect the characteristics of the session

    • certificateLabel

    • host, port

    • cipherSuite, qop

    • ...


Using security means in easerver37

C

C++

Using Security Means in EAServer

Authentication with Certificates

External Client

Encryption

IIOPS

OS or Custom

Authentication

Internal Client

IIOP


Security risks the solution

C++

Security Risks: the Solution

Firewall

Encryption

Authentication

Authorization


Using security means in easerver38

Using Security Means in EAServer

Solution

  • Eavesdropping ? Encryption

  • Data tampering ? Digital Signatures

  • Masquerading ? Certificate based Authentication

  • Misused Resources ? Authorization of authenticated Users

  • Repudiation ? Certificates, Digital Signatures


Using security means in easerver39

Using Security Means in EAServer

References

  • „Security Administration and Programming Guide“

  • Interface Repository

  • WebSites of known manufacturers

    • RSA Securities (extended FAQ)

    • Netscape (Details about SSL)

    • Verisign, Thawte


Summary

Summary

  • Modern internet-open distributed architectures and eßbusiness applications have inherent security issues that impose appropriate treatment.

  • Means and techniques to solve or reduce them considerably are

    • Encryption

    • Signatures

    • Digital Signatures


E138 tightening up easerver security

E138Tightening up EAServer Security

  • Markus Ohly

    Sybase European CS&S

    [email protected]


  • Login