E138
Download
1 / 76

E138 Tightening up EAServer Security - PowerPoint PPT Presentation


  • 128 Views
  • Uploaded on

E138 Tightening up EAServer Security. Markus Ohly Sybase European CS&S [email protected] Tightening up EAServer Security. AGENDA Security Concerns and Risks Security Techniques Applying Security Techniques to EAServer. Tightening up EAServer Security. AGENDA

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' E138 Tightening up EAServer Security' - bunny


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

E138Tightening up EAServer Security


Tightening up easerver security
Tightening up EAServer Security

AGENDA

  • Security Concerns and Risks

  • Security Techniques

  • Applying Security Techniques to EAServer


Tightening up easerver security1
Tightening up EAServer Security

AGENDA

  • Security Concerns and Risks

    • Introduction

    • Fighting against Risks and Dangers

  • Security Techniques

  • Applying Security Techniques to EAServer


Security concerns and risks

C++

Security Concerns and Risks


Security concerns and risks1
Security Concerns and Risks

  • Disclosure of confidential information (Eavesdropping)

  • Modification, Deletion, Reuse of data (Data tampering)

  • Misuse of protected resources

  • Misuse that compromises availability

  • Masquerading, Misrepresentation and Repudiation

  • Sender claims that he did not send a message

  • Repetition of original messages

  • Compromised Privacy, Integrity, and Accountability


Security concerns and risks2
Security Concerns and Risks

Fighting against Risks and Dangers

  • Your company is in danger when computing resources fail, are unavailable, or compromised.

  • Not all of the threats can be easily eliminated (if at all)

  • Reduce exposure to an acceptable level

  • Use Security Means


Security concerns and risks3
Security Concerns and Risks

Fighting against Risks and Dangers

  • Authentication

  • Mechanism by which callers and servers prove to one another that they are acting on behalf of specific users

  • A component acting as an intermediary in a call chain may impersonate the user the originating user or have its own identity.

  • Normally, Authentication builds the basis for Authorization


Security concerns and risks4
Security Concerns and Risks

Fighting against Risks and Dangers

  • Authorization

  • Authorization mechanisms limit usage of resources to users, groups, or systems for the purpose of enforcing integrity, confidentiality, or availability constraints.

  • Protected Resources are distinguished by the presence of authorization rules that grant access only to authentic caller identities


Security concerns and risks5
Security Concerns and Risks

Fighting against Risks and Dangers

  • Networe Architecture

    • Firewalls

    • DMZs

    • Proxies

  • Auditing

  • Public Key Cryptography

    • Encryption

    • Digital Signatures


Tightening up easerver security2
Tightening up EAServer Security

AGENDA

  • Security Concerns and Risks

  • Security Techniques

    • What is Encryption ?

    • What are Certificates ?

    • What are Digital Signatures ?

    • What is SSL ?

  • Applying Security Techniques to EAServer


What is encryption
What is Encryption ?

  • A Mathematical Domain allowing to scramble data to keep it safe from external "eyes” and thus ensures a high level of security

  • Two major types of cryptographic algorithms exist:

    • Symmetric encryption (secret key cryptography)

    • Asymmetric encryption (public key cryptography)


What is encryption1
What is Encryption ?

Secret Key Cryptography


What is encryption2
What is Encryption ?

Secret Key Cryptography

  • Algorithms: DES, Triple-DES, RC2, RC4, RC5

  • Advantage: Fast and efficient

  • Problem: Key exchange

    • The keys must be shared by both end points

    • How to keep the shared key secret ?


What is encryption3
What is Encryption ?

Public Key Cryptography

  • Solution to the key exchange problem

    • Diffie, Hellman (1976)

    • Rivest, Shamir, Adleman (1978)

  • Public key encryption is based upon a key pair

    • public key and private key

  • It is VERY VERY difficult to compute the private key from the known public key


What is encryption4
What is Encryption ?

Public Key Cryptography

  • Public and private keys are inverse and can be applied in two directions

  • Encryption Equation:

    • D(private, E(public, m)) = m

  • Authenticity Equation:

    • D(public, E(private, m)) = m


What is encryption5
What is Encryption ?

Public Key Cryptography


What is encryption6
What is Encryption ?

Public Key Cryptography

  • D(private, E(public, m)) = m (Encryption Equation)

  • Everyone can send secret messages to a person using the public key of the addressee

  • Arbitrary individuals cannot decrypt messages encrypted with a public key because they do not know and cannot compute the private key

  • Only a person having the matching private key can decrypt the message


What is encryption7
What is Encryption ?

Public Key Cryptography

  • Advantage: No secret key exchange, only public keys are exchanged

  • Disadvantages:

    • CPU intensive (factor 100 to DES in Software)

    • Performance hit on busy site with lots of connections

  • Known algorithms: RSA (Rivest, Shamir, Adleman)


What are digital signatures
What are Digital Signatures ?

  • Authenticity Equation:

    • D(public, E(private, m)) = m

  • Using the private key for encryption can only be done by the key owner

  • Everybody can read the message but nobody is able to change it

  • Messages with digital signatures are authentic


What are digital signatures1
What are Digital Signatures ?

  • How to digitally sign a document ?

    • Compute a Message Digest of fixed length by applying a Hash Function to the document

    • Authenticate the Message Digest, that is encrypt the Message Digest with your private key

  • How to verify a Digital Signature ?

    • Apply the Hash Function to the received text

    • Decrypt the provided Digest using the public key

    • Authenticity is prooved if both results match


What are digital signatures2
What are Digital Signatures ?

Hash Functions

  • A Hash Function is an efficient transformation of an arbitrary message to a hash value of fixed length

  • The hash value is much smaller than the original input

  • Additionally, it is difficult to reverse a hash function (hash functions are one way)

  • collision freeness: it is very difficult to find two messages resulting in the same hash value.

  • Examples: MD5, SHA




What are certificates
What are Certificates ?

  • How to assure keys and entities match?

  • We demand certification !

  • Certificates give us the guarantee that the mentioned entity and the public key do in fact belong together, they bind the identity of a person to his public key.

  • The pair of identity and public key is digitally signed

  • Certificates are issued by Certificate Authorities after a rigorous check

  • Trust to the certificate is implied by trust to the Certificate Authority.


What are certificates1

Public Key

of the Client

Public Key

of the Server

What are Certificates ?

Server

Server’s Private Key

CA’s Public Key

+

Client

Client’s Private Key

CA’s Public Key

+

Digitally Signed

Certificates


What are certificates2
What are Certificates ?

Non-Repudiation

  • The holder of a certificate cannot deny his authenticity nor refuse his engagements when he digitally signed a message with the secret key corresponding to the public key in his certificate


What is ssl
What is SSL ?

  • The Secure Sockets Layer (SSL) Protocol maintains security, privacy, and integrity of the transmission channel by using encryption, authentication and messageauthentication codes.

  • The SSL protocol is able to negotiate encryption keys as well as authenticatethe server before data is exchanged by the higher-level application.

  • It allowsapplications to communicate in a way that is designedto prevent eavesdropping, tampering, or messageforgery.

  • Invented by Netscape in 1996


What is ssl1
What is SSL ?

  • SSL is application protocol independent. A higher level protocol can layer on top of the SSL Protocol transparently.

  • Application protocol traffic is embedded into SSL and encrypted during transfer

  • IIOP + SSL = IIOPS

  • HTTP + SSL = HTTPS



What is ssl3
What is SSL ?

  • The SSL Handshake Protocol consists of two phases.

  • During the “handshaking“ process, thepublic-key encryption is used.

  • After the exchange of keys, a number ofciphers are used, eg. RC2, RC4, IDEA, DES, and triple-DES

  • The MD5 message-digest algorithm is used.

  • The public-key certificates follow the X.509 syntax


What is ssl4
What is SSL ?

Server Authentication

  • The server, in response to a client's request, sends its certificate andits cipher preferences.

  • The client generates a master key, encrypts it with the server'spublic key, and sends the result to the server

  • The server recovers the masterkey and authenticates itself to the client by returning a message signed with the master key

  • Subsequent data is encrypted and authenticated with keys derived from this master key.


What is ssl5
What is SSL ?

Client Authentication (optional).

  • The server sends a challenge to the client.

  • The client authenticates itself to theserver by returning the client's digital signature on the challenge, as well as its public-key certificate.


Tightening up easerver security3
Tightening up EAServer Security

AGENDA

  • Security Concerns and Risks

  • Security Techniques

  • Using Security Means in EAServer

    • Listener Configuration

    • Set protection levels for components

    • Protect Server Resources

    • Secure Clients

    • Protect Data


Using security means in easerver
Using Security Means in EAServer

  • How to deal with Certificates and keys easily ?

  • Use a cryptographic module which is a loadable software plugin following the PKCS #11 standard

  • EAServer has a PKCS #11 module

    • Accessible from Security Manager

    • Accessible from Netscape


Using security means in easerver1
Using Security Means in EAServer

EAServer Security Manager


Using security means in easerver2
Using Security Means in EAServer

  • Netscape Communicator


Using security means in easerver3
Using Security Means in EAServer

Internet Explorer ...


Using security means in easerver4

Configure Listener Properties

Create a listener with protocol „https“ or „iiops“

Select a Security Profile.

Using Security Means in EAServer


Using security means in easerver5
Using Security Means in EAServer

Configure Listener Properties (ctd)

  • A security profile specifies the security characteristics:

    • Whether mutual authentication is required

    • Which Cipher Suite to use for the encrypted connection

    • Which certificate the server will send to the client – note that the site name and the certificate common name must match !



Using security means in easerver7
Using Security Means in EAServer

Configure Listener Properties (ctd)

  • Important ! The Listener Properties must match the authentication and authorization requirements

    • When clients are required to send certificates for authentication, „_mutual_auth“ must be selected.

  • Relation to Authentication Service:

    • Precedence of Certificates over Username/Password

    • Combinations


Using security means in easerver8
Using Security Means in EAServer

Authentication for Web Applications

  • Authentication is set at Web Application level

  • Authentication Mechanisms supported by EAServer: BASIC, FORM, and HTTPS Mutual Authentication

    • BASIC and FORM authentication should be combined with encryption to protect the passwords

    • In order to work effectively, you must enable an Authentication Mechanism for EAServer, eg. OS Authentication or Authentication Service


Using security means in easerver9
Using Security Means in EAServer

Authentication for Web Applications

  • Login Config: Authentication = Client Certificate


Using security means in easerver10
Using Security Means in EAServer

Declarative Authorization

  • J2EE Declarative Authorization is based upon Roles which are logical privileges

  • Roles are assigned to Components to define the required privileges needed to access components

  • Roles may be attributed to (known) Certificates

  • Role Assignment to EJBs and WebResources can be defined during development but must be reviewed at deployment time.


Using security means in easerver11
Using Security Means in EAServer

Authorization with Certificates


Using security means in easerver12
Using Security Means in EAServer

Programmatic Authorization

  • Role Service

  • Alternatively, a custom Authorization Service


Using security means in easerver13
Using Security Means in EAServer

Servlet Request Attributes

  • javax.servlet.request.cipher-suite = SSL_RSA_EXPORT_WITH_RC4_40_MD5

  • javax.servlet.request.key-size = 40

  • javax.servlet.request.X509Certificate


Using security means in easerver14
Using Security Means in EAServer

Authorization for Web Applications

  • The Web Application Provider defines the Resources that have to be protected in form of Security Constraints

  • EAServer will control each access and ensure that protected resources are only accessed by authenticated and/or authorized users


Using security means in easerver15
Using Security Means in EAServer

Authorization for Web Applications

  • Security Constraint 0, Zone 0

    • Pattern = /Calculate

    • Role = WebAgent, WebSupervisor

    • Transport Guarantee = Confidential

  • Security Constraint 1, Zone 1

    • Pattern = /Calculate/Interest

    • Role = WebSupervisor

    • Transport Guarantee = Confidential


Using security means in easerver16
Using Security Means in EAServer

Authorization for Web Applications


Using security means in easerver17
Using Security Means in EAServer

Authorization for Web Applications


Using security means in easerver18
Using Security Means in EAServer

Declarative Security for EJBs

  • The EJB Tier must be protected as well because IIOP Listeners do expose them

  • Permissions are granted per Method using Roles

  • Roles may contain synthetic identities, eg. Everybody or Anonymous for unauthenticated users

  • For EJB 2.0, a Bean method without role assignment cannot be used by any caller !


Using security means in easerver19
Using Security Means in EAServer

Set protection levels for components

  • Packages, Components, and Methods can be configured to have a minimum quality of protection that a client connection must have for invocation

    • com.sybase.jaguar.package.qop

    • com.sybase.jaguar.component.qop

    • com.sybase.jaguar.method.qop


Using security means in easerver20
Using Security Means in EAServer

Set protection levels for components (ctd)

  • QOP settings may be

    • syb_osauth

    • syb_simple, syb_intl, syb_domestic, syb_strong

    • or the „_mutual_auth“ variant


Using security means in easerver21
Using Security Means in EAServer

Set protection levels for components (ctd)

  • Client QOP, Listener QOP, and Component QOP must be the same or compatible


Using security means in easerver22
Using Security Means in EAServer

Set protection levels for components (ctd)


Using security means in easerver23
Using Security Means in EAServer

Retrieving SSL Connection Information

  • EAServer passes an object of type CtsSecurity::Session Info to Authentication, Authorization and Role Services

  • long getAuthenticationStatus() - SSL relevant fields:

    • AUTH_SSL_SESSION - bit 0

    • AUTH_SSL_AUTHENTICATED - bit 1

  • CtsSecurity::SSLSessionInfo getSSLSessionInfo() - only when SSL is used !


Using security means in easerver24
Using Security Means in EAServer

Retrieving SSL Connection Information (ctd)

  • The SSLSessionInfo object provides access to

    • the client´s certificate

    • the server´s certificate

    • SSL session properties, eg. Host, Port, Cipher Suite, User Data, Entrust properties

  • See the Interface Repository for full documentation


Using security means in easerver25
Using Security Means in EAServer

Authorization

  • Take care that the Access Control Rules are consistent across all paths by which components may be accessed

  • It must be avoided that a less protected Method or Request can circumvene a more rigorously protected method specified by your Security Policy.


Using security means in easerver26
Using Security Means in EAServer

Clients

  • Applets use the SSL infrastucture of the browser

  • Java Applications, C++, PowerBuilder can use native SSL support

  • Common Prerequisite for Standalone Clients:

    • Jaguar Client: Certificate Store, Runtime Libraries

    • Libraries path must be in PATH

    • Environment Variable JAGUAR_CLIENT_ROOT


Using security means in easerver27
Using Security Means in EAServer

Clients

  • In order to establish an SSL Connection, a couple of parameters must be set:

    • PKCS #11 Token Pin

    • Quality of Protection

    • Certificate Label for Mutual Authentication

  • The parameters must be passed to ORB.init()

  • Alternatively, user the SSLServiceProvider


Using security means in easerver28
Using Security Means in EAServer

Securing C++ Clients

  • char *orb_args[] = {"-ORBpin", "sybase", "-ORBqop", "sybpks_intl_mutual_auth", "-ORBcertLabel", “Markus_1" };

  • CORBA::ORB_var orb = CORBA::ORB_init(6, orb_args, 0);

  • SessionManager::Manager_var manager = SessionManager::Manager::_narrow( orb->string_to_object("iiops://localhost:9002"));


Using security means in easerver29
Using Security Means in EAServer

Securing PB Clients

String ls_init

ls_init =

«  ORBNameServiceURL='iiop://HOST:9002', ORBqop=sybpks_intl_mutual_auth, ORBpin=sybase, ORBcertificateLabel=’Markus_1’ »

ORB.init (ls_init)


Using security means in easerver30
Using Security Means in EAServer

Securing Java Clients

  • Properties p = new Properties()

  • p.put("org.omg.CORBA.ORBClass", „...CORBA.ORB")

  • p.put("com.sybase.CORBA.pin", "sybase")

  • p.put("com.sybase.CORBA.qop","qop")

  • p.put("com.sybase.CORBA.certificateLabel",“Markus_1")

  • ORB orb = ORB.init((String[])null, p);

  • Manager manager = ManagerHelper.narrow(orb.string_to_object(„iiops://host:9002“));


Using security means in easerver31
Using Security Means in EAServer

JNDI based Clients

  • Properties props = new Properties();

  • props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sybase.ejb.InitialContextFactory");

  • props.put(Context.SECURITY_PRINCIPAL, "jagadmin");

  • props.put(Context.SECURITY_CREDENTIALS, "");


Using security means in easerver32
Using Security Means in EAServer

JNDI based Clients (ctd)

  • props.put(Context.PROVIDER_URL, "iiops://localhost:9001");

  • props.put("com.sybase.ejb.pin", "sybase");

  • props.put("com.sybase.ejb.qop", "sybpks_intl");

  • props.put("com.sybase.ejb.certificateLabel",“Markus_1")

  • InitialContext ic = new InitialContext(props);

  • CalcHome home = (CalcHome)ic.lookup("Calculator");

  • Calc calc = home.create();


Using security means in easerver33
Using Security Means in EAServer

SSLServiceProvider

  • import CtsSecurity.*;

  • SSLServiceProvider prov;

  • prov = SSLServiceProviderHelper.narrow(orb.resolve_initial_references("SSLServiceProvider"));

  • prov.setGlobalProperty("qop", "sybpks_intl")

  • prov.setGlobalProperty("callbackImpl","SSLCallback")


Using security means in easerver34
Using Security Means in EAServer

SSLServiceProvider

  • The callback class SSLCallback must implement CtsSecurity.SSLCallbackIntf

    • getPin ()

    • getCertificateLabel ()

    • trustVerify ()

    • getCredentialAttribute ()

  • The ORB invokes callback methods when required information is missing or incorrect.


Using security means in easerver35
Using Security Means in EAServer

Retrieving SSL Connection Information

  • Clients and Components can retrieve detailed information on the security characteristics of a connection

  • Client code narrows the object reference to CtsSecurity::SesssionInfo

  • A component inside the server instantiates a pseudo reference to CtsSecurity::SesssionInfo


Using security means in easerver36
Using Security Means in EAServer

Retrieving SSL Connection Information

  • If SSL is enabled, you can get a SSLSessionInfo object by calling SessionInfo.getSSLSessionInfo()

  • The SSLSessionInfo provides access to the client certificate and allows to inspect the characteristics of the session

    • certificateLabel

    • host, port

    • cipherSuite, qop

    • ...


Using security means in easerver37

C

C++

Using Security Means in EAServer

Authentication with Certificates

External Client

Encryption

IIOPS

OS or Custom

Authentication

Internal Client

IIOP


Security risks the solution

C++

Security Risks: the Solution

Firewall

Encryption

Authentication

Authorization


Using security means in easerver38
Using Security Means in EAServer

Solution

  • Eavesdropping ? Encryption

  • Data tampering ? Digital Signatures

  • Masquerading ? Certificate based Authentication

  • Misused Resources ? Authorization of authenticated Users

  • Repudiation ? Certificates, Digital Signatures


Using security means in easerver39
Using Security Means in EAServer

References

  • „Security Administration and Programming Guide“

  • Interface Repository

  • WebSites of known manufacturers

    • RSA Securities (extended FAQ)

    • Netscape (Details about SSL)

    • Verisign, Thawte


Summary
Summary

  • Modern internet-open distributed architectures and eßbusiness applications have inherent security issues that impose appropriate treatment.

  • Means and techniques to solve or reduce them considerably are

    • Encryption

    • Signatures

    • Digital Signatures


E138Tightening up EAServer Security


ad