E138 Tightening up EAServer Security - PowerPoint PPT Presentation

1 / 76
About This Presentation
Title:

E138 Tightening up EAServer Security

Description:

Additionally, it is difficult to reverse a hash function (hash functions are one ... CalcHome home = (CalcHome)ic.lookup('Calculator'); Calc calc = home.create ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 77
Provided by: mar1335
Category:

less

Transcript and Presenter's Notes

Title: E138 Tightening up EAServer Security


1
E138Tightening up EAServer Security
  • Markus Ohly
  • Sybase European CSS
  • Markus.Ohly_at_sybase.com

2
Tightening up EAServer Security
  • AGENDA
  • Security Concerns and Risks
  • Security Techniques
  • Applying Security Techniques to EAServer

3
Tightening up EAServer Security
  • AGENDA
  • Security Concerns and Risks
  • Introduction
  • Fighting against Risks and Dangers
  • Security Techniques
  • Applying Security Techniques to EAServer

4
Security Concerns and Risks

5
Security Concerns and Risks
  • Disclosure of confidential information
    (Eavesdropping)
  • Modification, Deletion, Reuse of data (Data
    tampering)
  • Misuse of protected resources
  • Misuse that compromises availability
  • Masquerading, Misrepresentation and Repudiation
  • Sender claims that he did not send a message
  • Repetition of original messages
  • Compromised Privacy, Integrity, and Accountability

6
Security Concerns and Risks
  • Fighting against Risks and Dangers
  • Your company is in danger when computing
    resources fail, are unavailable, or compromised.
  • Not all of the threats can be easily eliminated
    (if at all)
  • Reduce exposure to an acceptable level
  • Use Security Means

7
Security Concerns and Risks
  • Fighting against Risks and Dangers
  • Authentication
  • Mechanism by which callers and servers prove to
    one another that they are acting on behalf of
    specific users
  • A component acting as an intermediary in a call
    chain may impersonate the user the originating
    user or have its own identity.
  • Normally, Authentication builds the basis for
    Authorization

8
Security Concerns and Risks
  • Fighting against Risks and Dangers
  • Authorization
  • Authorization mechanisms limit usage of resources
    to users, groups, or systems for the purpose of
    enforcing integrity, confidentiality, or
    availability constraints.
  • Protected Resources are distinguished by the
    presence of authorization rules that grant access
    only to authentic caller identities

9
Security Concerns and Risks
  • Fighting against Risks and Dangers
  • Networe Architecture
  • Firewalls
  • DMZs
  • Proxies
  • Auditing
  • Public Key Cryptography
  • Encryption
  • Digital Signatures

10
Tightening up EAServer Security
  • AGENDA
  • Security Concerns and Risks
  • Security Techniques
  • What is Encryption ?
  • What are Certificates ?
  • What are Digital Signatures ?
  • What is SSL ?
  • Applying Security Techniques to EAServer

11
What is Encryption ?
  • A Mathematical Domain allowing to scramble data
    to keep it safe from external "eyes and thus
    ensures a high level of security
  • Two major types of cryptographic algorithms
    exist
  • Symmetric encryption (secret key cryptography)
  • Asymmetric encryption (public key cryptography)

12
What is Encryption ?
  • Secret Key Cryptography

13
What is Encryption ?
  • Secret Key Cryptography
  • Algorithms DES, Triple-DES, RC2, RC4, RC5
  • Advantage Fast and efficient
  • Problem Key exchange
  • The keys must be shared by both end points
  • How to keep the shared key secret ?

14
What is Encryption ?
  • Public Key Cryptography
  • Solution to the key exchange problem
  • Diffie, Hellman (1976)
  • Rivest, Shamir, Adleman (1978)
  • Public key encryption is based upon a key pair
  • public key and private key
  • It is VERY VERY difficult to compute the private
    key from the known public key

15
What is Encryption ?
  • Public Key Cryptography
  • Public and private keys are inverse and can be
    applied in two directions
  • Encryption Equation
  • D(private, E(public, m)) m
  • Authenticity Equation
  • D(public, E(private, m)) m

16
What is Encryption ?
  • Public Key Cryptography

17
What is Encryption ?
  • Public Key Cryptography
  • D(private, E(public, m)) m (Encryption
    Equation)
  • Everyone can send secret messages to a person
    using the public key of the addressee
  • Arbitrary individuals cannot decrypt messages
    encrypted with a public key because they do not
    know and cannot compute the private key
  • Only a person having the matching private key can
    decrypt the message

18
What is Encryption ?
  • Public Key Cryptography
  • Advantage No secret key exchange, only public
    keys are exchanged
  • Disadvantages
  • CPU intensive (factor 100 to DES in Software)
  • Performance hit on busy site with lots of
    connections
  • Known algorithms RSA (Rivest, Shamir, Adleman)

19
What are Digital Signatures ?
  • Authenticity Equation
  • D(public, E(private, m)) m
  • Using the private key for encryption can only be
    done by the key owner
  • Everybody can read the message but nobody is able
    to change it
  • Messages with digital signatures are authentic

20
What are Digital Signatures ?
  • How to digitally sign a document ?
  • Compute a Message Digest of fixed length by
    applying a Hash Function to the document
  • Authenticate the Message Digest, that is encrypt
    the Message Digest with your private key
  • How to verify a Digital Signature ?
  • Apply the Hash Function to the received text
  • Decrypt the provided Digest using the public key
  • Authenticity is prooved if both results match

21
What are Digital Signatures ?
  • Hash Functions
  • A Hash Function is an efficient transformation of
    an arbitrary message to a hash value of fixed
    length
  • The hash value is much smaller than the original
    input
  • Additionally, it is difficult to reverse a hash
    function (hash functions are one way)
  • collision freeness it is very difficult to find
    two messages resulting in the same hash value.
  • Examples MD5, SHA

22
What are Digital Signatures ?
23
What are Digital Signatures ?
24
What are Certificates ?
  • How to assure keys and entities match?
  • We demand certification !
  • Certificates give us the guarantee that the
    mentioned entity and the public key do in fact
    belong together, they bind the identity of a
    person to his public key.
  • The pair of identity and public key is digitally
    signed
  • Certificates are issued by Certificate
    Authorities after a rigorous check
  • Trust to the certificate is implied by trust to
    the Certificate Authority.

25
What are Certificates ?
Server
Servers Private Key
CAs Public Key

Client
Clients Private Key
CAs Public Key

Digitally Signed Certificates
26
What are Certificates ?
  • Non-Repudiation
  • The holder of a certificate cannot deny his
    authenticity nor refuse his engagements when he
    digitally signed a message with the secret key
    corresponding to the public key in his certificate

27
What is SSL ?
  • The Secure Sockets Layer (SSL) Protocol maintains
    security, privacy, and integrity of the
    transmission channel by using encryption,
    authentication and message authentication codes.
  • The SSL protocol is able to negotiate encryption
    keys as well as authenticate the server before
    data is exchanged by the higher-level
    application.
  • It allows applications to communicate in a way
    that is designed to prevent eavesdropping,
    tampering, or message forgery.
  • Invented by Netscape in 1996

28
What is SSL ?
  • SSL is application protocol independent. A
    higher level protocol can layer on top of the SSL
    Protocol transparently.
  • Application protocol traffic is embedded into SSL
    and encrypted during transfer
  • IIOP SSL IIOPS
  • HTTP SSL HTTPS

29
What is SSL ?
30
What is SSL ?
  • The SSL Handshake Protocol consists of two
    phases.
  • During the handshaking process, the public-key
    encryption is used.
  • After the exchange of keys, a number of ciphers
    are used, eg. RC2, RC4, IDEA, DES, and triple-DES
  • The MD5 message-digest algorithm is used.
  • The public-key certificates follow the X.509
    syntax

31
What is SSL ?
  • Server Authentication
  • The server, in response to a client's request,
    sends its certificate and its cipher preferences.
  • The client generates a master key, encrypts it
    with the server's public key, and sends the
    result to the server
  • The server recovers the master key and
    authenticates itself to the client by returning a
    message signed with the master key
  • Subsequent data is encrypted and authenticated
    with keys derived from this master key.

32
What is SSL ?
  • Client Authentication (optional).
  • The server sends a challenge to the client.
  • The client authenticates itself to the server by
    returning the client's digital signature on the
    challenge, as well as its public-key certificate.

33
Tightening up EAServer Security
  • AGENDA
  • Security Concerns and Risks
  • Security Techniques
  • Using Security Means in EAServer
  • Listener Configuration
  • Set protection levels for components
  • Protect Server Resources
  • Secure Clients
  • Protect Data

34
Using Security Means in EAServer
  • How to deal with Certificates and keys easily ?
  • Use a cryptographic module which is a loadable
    software plugin following the PKCS 11 standard
  • EAServer has a PKCS 11 module
  • Accessible from Security Manager
  • Accessible from Netscape

35
Using Security Means in EAServer
  • EAServer Security Manager

36
Using Security Means in EAServer
  • Netscape Communicator

37
Using Security Means in EAServer
  • Internet Explorer ...

38
Using Security Means in EAServer
  • Configure Listener Properties
  • Create a listener with protocol https or
    iiops
  • Select a Security Profile.

39
Using Security Means in EAServer
  • Configure Listener Properties (ctd)
  • A security profile specifies the security
    characteristics
  • Whether mutual authentication is required
  • Which Cipher Suite to use for the encrypted
    connection
  • Which certificate the server will send to the
    client note that the site name and the
    certificate common name must match !

40
Using Security Means in EAServer
  • Security
  • Profile

41
Using Security Means in EAServer
  • Configure Listener Properties (ctd)
  • Important ! The Listener Properties must match
    the authentication and authorization requirements
  • When clients are required to send certificates
    for authentication, _mutual_auth must be
    selected.
  • Relation to Authentication Service
  • Precedence of Certificates over Username/Password
  • Combinations

42
Using Security Means in EAServer
  • Authentication for Web Applications
  • Authentication is set at Web Application level
  • Authentication Mechanisms supported by EAServer
    BASIC, FORM, and HTTPS Mutual Authentication
  • BASIC and FORM authentication should be combined
    with encryption to protect the passwords
  • In order to work effectively, you must enable an
    Authentication Mechanism for EAServer, eg. OS
    Authentication or Authentication Service

43
Using Security Means in EAServer
  • Authentication for Web Applications
  • Login Config Authentication Client Certificate

44
Using Security Means in EAServer
  • Declarative Authorization
  • J2EE Declarative Authorization is based upon
    Roles which are logical privileges
  • Roles are assigned to Components to define the
    required privileges needed to access components
  • Roles may be attributed to (known) Certificates
  • Role Assignment to EJBs and WebResources can be
    defined during development but must be reviewed
    at deployment time.

45
Using Security Means in EAServer
  • Authorization with Certificates

46
Using Security Means in EAServer
  • Programmatic Authorization
  • Role Service
  • Alternatively, a custom Authorization Service

47
Using Security Means in EAServer
  • Servlet Request Attributes
  • javax.servlet.request.cipher-suite
    SSL_RSA_EXPORT_WITH_RC4_40_MD5
  • javax.servlet.request.key-size 40
  • javax.servlet.request.X509Certificate

48
Using Security Means in EAServer
  • Authorization for Web Applications
  • The Web Application Provider defines the
    Resources that have to be protected in form of
    Security Constraints
  • EAServer will control each access and ensure that
    protected resources are only accessed by
    authenticated and/or authorized users

49
Using Security Means in EAServer
  • Authorization for Web Applications
  • Security Constraint 0, Zone 0
  • Pattern /Calculate
  • Role WebAgent, WebSupervisor
  • Transport Guarantee Confidential
  • Security Constraint 1, Zone 1
  • Pattern /Calculate/Interest
  • Role WebSupervisor
  • Transport Guarantee Confidential

50
Using Security Means in EAServer
  • Authorization for Web Applications

51
Using Security Means in EAServer
  • Authorization for Web Applications

52
Using Security Means in EAServer
  • Declarative Security for EJBs
  • The EJB Tier must be protected as well because
    IIOP Listeners do expose them
  • Permissions are granted per Method using Roles
  • Roles may contain synthetic identities, eg.
    Everybody or Anonymous for unauthenticated users
  • For EJB 2.0, a Bean method without role
    assignment cannot be used by any caller !

53
Using Security Means in EAServer
  • Set protection levels for components
  • Packages, Components, and Methods can be
    configured to have a minimum quality of
    protection that a client connection must have for
    invocation
  • com.sybase.jaguar.package.qop
  • com.sybase.jaguar.component.qop
  • com.sybase.jaguar.method.qop

54
Using Security Means in EAServer
  • Set protection levels for components (ctd)
  • QOP settings may be
  • syb_osauth
  • syb_simple, syb_intl, syb_domestic, syb_strong
  • or the _mutual_auth variant

55
Using Security Means in EAServer
  • Set protection levels for components (ctd)
  • Client QOP, Listener QOP, and Component QOP must
    be the same or compatible

56
Using Security Means in EAServer
  • Set protection levels for components (ctd)

57
Using Security Means in EAServer
  • Retrieving SSL Connection Information
  • EAServer passes an object of type
    CtsSecuritySession Info to Authentication,
    Authorization and Role Services
  • long getAuthenticationStatus() - SSL relevant
    fields
  • AUTH_SSL_SESSION - bit 0
  • AUTH_SSL_AUTHENTICATED - bit 1
  • CtsSecuritySSLSessionInfo getSSLSessionInfo() -
    only when SSL is used !

58
Using Security Means in EAServer
  • Retrieving SSL Connection Information (ctd)
  • The SSLSessionInfo object provides access to
  • the clients certificate
  • the servers certificate
  • SSL session properties, eg. Host, Port, Cipher
    Suite, User Data, Entrust properties
  • See the Interface Repository for full
    documentation

59
Using Security Means in EAServer
  • Authorization
  • Take care that the Access Control Rules are
    consistent across all paths by which components
    may be accessed
  • It must be avoided that a less protected Method
    or Request can circumvene a more rigorously
    protected method specified by your Security
    Policy.

60
Using Security Means in EAServer
  • Clients
  • Applets use the SSL infrastucture of the browser
  • Java Applications, C, PowerBuilder can use
    native SSL support
  • Common Prerequisite for Standalone Clients
  • Jaguar Client Certificate Store, Runtime
    Libraries
  • Libraries path must be in PATH
  • Environment Variable JAGUAR_CLIENT_ROOT

61
Using Security Means in EAServer
  • Clients
  • In order to establish an SSL Connection, a couple
    of parameters must be set
  • PKCS 11 Token Pin
  • Quality of Protection
  • Certificate Label for Mutual Authentication
  • The parameters must be passed to ORB.init()
  • Alternatively, user the SSLServiceProvider

62
Using Security Means in EAServer
  • Securing C Clients
  • char orb_args "-ORBpin", "sybase",
    "-ORBqop", "sybpks_intl_mutual_auth",
    "-ORBcertLabel", Markus_1"
  • CORBAORB_var orb CORBAORB_init(6,
    orb_args, 0)
  • SessionManagerManager_var manager
    SessionManagerManager_narrow(
    orb-gtstring_to_object("iiops//localhost9002"))

63
Using Security Means in EAServer
  • Securing PB Clients
  • String ls_init
  • ls_init
  •   ORBNameServiceURL'iiop//HOST9002',
    ORBqopsybpks_intl_mutual_auth, ORBpinsybase,
    ORBcertificateLabelMarkus_1
  • ORB.init (ls_init)

64
Using Security Means in EAServer
  • Securing Java Clients
  • Properties p new Properties()
  • p.put("org.omg.CORBA.ORBClass", ...CORBA.ORB")
  • p.put("com.sybase.CORBA.pin", "sybase")
  • p.put("com.sybase.CORBA.qop", "qop")
  • p.put("com.sybase.CORBA.certificateLabel",Markus_
    1")
  • ORB orb ORB.init((String)null, p)
  • Manager manager ManagerHelper.narrow(
    orb.string_to_object(iiops//host9002))

65
Using Security Means in EAServer
  • JNDI based Clients
  • Properties props new Properties()
  • props.put(Context.INITIAL_CONTEXT_FACTORY,
    "com.sybase.ejb.InitialContextFactory")
  • props.put(Context.SECURITY_PRINCIPAL,
    "jagadmin")
  • props.put(Context.SECURITY_CREDENTIALS, "")

66
Using Security Means in EAServer
  • JNDI based Clients (ctd)
  • props.put(Context.PROVIDER_URL,
    "iiops//localhost9001")
  • props.put("com.sybase.ejb.pin", "sybase")
  • props.put("com.sybase.ejb.qop", "sybpks_intl")
  • props.put("com.sybase.ejb.certificateLabel",Marku
    s_1")
  • InitialContext ic new InitialContext(props)
  • CalcHome home (CalcHome)ic.lookup("Calculator")
  • Calc calc home.create()

67
Using Security Means in EAServer
  • SSLServiceProvider
  • import CtsSecurity.
  • SSLServiceProvider prov
  • prov SSLServiceProviderHelper.narrow(
    orb.resolve_initial_references("SSLServiceProvider
    "))
  • prov.setGlobalProperty("qop", "sybpks_intl")
  • prov.setGlobalProperty("callbackImpl",
    "SSLCallback")

68
Using Security Means in EAServer
  • SSLServiceProvider
  • The callback class SSLCallback must implement
    CtsSecurity.SSLCallbackIntf
  • getPin ()
  • getCertificateLabel ()
  • trustVerify ()
  • getCredentialAttribute ()
  • The ORB invokes callback methods when required
    information is missing or incorrect.

69
Using Security Means in EAServer
  • Retrieving SSL Connection Information
  • Clients and Components can retrieve detailed
    information on the security characteristics of a
    connection
  • Client code narrows the object reference to
    CtsSecuritySesssionInfo
  • A component inside the server instantiates a
    pseudo reference to CtsSecuritySesssionInfo

70
Using Security Means in EAServer
  • Retrieving SSL Connection Information
  • If SSL is enabled, you can get a SSLSessionInfo
    object by calling SessionInfo.getSSLSessionInfo()
  • The SSLSessionInfo provides access to the client
    certificate and allows to inspect the
    characteristics of the session
  • certificateLabel
  • host, port
  • cipherSuite, qop
  • ...

71
Using Security Means in EAServer
Authentication with Certificates
External Client
Encryption
IIOPS
OS or Custom Authentication
Internal Client
IIOP

72
Security Risks the Solution
Firewall
Encryption
Authentication Authorization
73
Using Security Means in EAServer
  • Solution
  • Eavesdropping ? Encryption
  • Data tampering ? Digital Signatures
  • Masquerading ? Certificate based Authentication
  • Misused Resources ? Authorization of
    authenticated Users
  • Repudiation ? Certificates, Digital Signatures

74
Using Security Means in EAServer
  • References
  • Security Administration and Programming Guide
  • Interface Repository
  • WebSites of known manufacturers
  • RSA Securities (extended FAQ)
  • Netscape (Details about SSL)
  • Verisign, Thawte

75
Summary
  • Modern internet-open distributed architectures
    and eßbusiness applications have inherent
    security issues that impose appropriate
    treatment.
  • Means and techniques to solve or reduce them
    considerably are
  • Encryption
  • Signatures
  • Digital Signatures

76
E138Tightening up EAServer Security
  • Markus Ohly
  • Sybase European CSS
  • Markus.Ohly_at_sybase.com
Write a Comment
User Comments (0)
About PowerShow.com