E138 Tightening up EAServer Security

1
E138Tightening up EAServer Security

• Markus Ohly
• Sybase European CSS
• Markus.Ohly_at_sybase.com

2
Tightening up EAServer Security

• AGENDA
• Security Concerns and Risks
• Security Techniques
• Applying Security Techniques to EAServer

3
Tightening up EAServer Security

• AGENDA
• Security Concerns and Risks
• Introduction
• Fighting against Risks and Dangers
• Security Techniques
• Applying Security Techniques to EAServer

4
Security Concerns and Risks

5
Security Concerns and Risks

• Disclosure of confidential information
  (Eavesdropping)
• Modification, Deletion, Reuse of data (Data
  tampering)
• Misuse of protected resources
• Misuse that compromises availability
• Masquerading, Misrepresentation and Repudiation
• Sender claims that he did not send a message
• Repetition of original messages
• Compromised Privacy, Integrity, and Accountability

6
Security Concerns and Risks

• Fighting against Risks and Dangers
• Your company is in danger when computing
  resources fail, are unavailable, or compromised.
• Not all of the threats can be easily eliminated
  (if at all)
• Reduce exposure to an acceptable level
• Use Security Means

7
Security Concerns and Risks

• Fighting against Risks and Dangers
• Authentication
• Mechanism by which callers and servers prove to
  one another that they are acting on behalf of
  specific users
• A component acting as an intermediary in a call
  chain may impersonate the user the originating
  user or have its own identity.
• Normally, Authentication builds the basis for
  Authorization

8
Security Concerns and Risks

• Fighting against Risks and Dangers
• Authorization
• Authorization mechanisms limit usage of resources
  to users, groups, or systems for the purpose of
  enforcing integrity, confidentiality, or
  availability constraints.
• Protected Resources are distinguished by the
  presence of authorization rules that grant access
  only to authentic caller identities

9
Security Concerns and Risks

• Fighting against Risks and Dangers
• Networe Architecture
• Firewalls
• DMZs
• Proxies
• Auditing
• Public Key Cryptography
• Encryption
• Digital Signatures

10
Tightening up EAServer Security

• AGENDA
• Security Concerns and Risks
• Security Techniques
• What is Encryption ?
• What are Certificates ?
• What are Digital Signatures ?
• What is SSL ?
• Applying Security Techniques to EAServer

11
What is Encryption ?

• A Mathematical Domain allowing to scramble data
  to keep it safe from external "eyes and thus
  ensures a high level of security
• Two major types of cryptographic algorithms
  exist
• Symmetric encryption (secret key cryptography)
• Asymmetric encryption (public key cryptography)

12
What is Encryption ?

• Secret Key Cryptography

13
What is Encryption ?

• Secret Key Cryptography
• Algorithms DES, Triple-DES, RC2, RC4, RC5
• Advantage Fast and efficient
• Problem Key exchange
• The keys must be shared by both end points
• How to keep the shared key secret ?

14
What is Encryption ?

• Public Key Cryptography
• Solution to the key exchange problem
• Diffie, Hellman (1976)
• Rivest, Shamir, Adleman (1978)
• Public key encryption is based upon a key pair
• public key and private key
• It is VERY VERY difficult to compute the private
  key from the known public key

15
What is Encryption ?

• Public Key Cryptography
• Public and private keys are inverse and can be
  applied in two directions
• Encryption Equation
• D(private, E(public, m)) m
• Authenticity Equation
• D(public, E(private, m)) m

16
What is Encryption ?

• Public Key Cryptography

17
What is Encryption ?

• Public Key Cryptography
• D(private, E(public, m)) m (Encryption
  Equation)
• Everyone can send secret messages to a person
  using the public key of the addressee
• Arbitrary individuals cannot decrypt messages
  encrypted with a public key because they do not
  know and cannot compute the private key
• Only a person having the matching private key can
  decrypt the message

18
What is Encryption ?

• Public Key Cryptography
• Advantage No secret key exchange, only public
  keys are exchanged
• Disadvantages
• CPU intensive (factor 100 to DES in Software)
• Performance hit on busy site with lots of
  connections
• Known algorithms RSA (Rivest, Shamir, Adleman)

19
What are Digital Signatures ?

• Authenticity Equation
• D(public, E(private, m)) m
• Using the private key for encryption can only be
  done by the key owner
• Everybody can read the message but nobody is able
  to change it
• Messages with digital signatures are authentic

20
What are Digital Signatures ?

• How to digitally sign a document ?
• Compute a Message Digest of fixed length by
  applying a Hash Function to the document
• Authenticate the Message Digest, that is encrypt
  the Message Digest with your private key
• How to verify a Digital Signature ?
• Apply the Hash Function to the received text
• Decrypt the provided Digest using the public key
• Authenticity is prooved if both results match

21
What are Digital Signatures ?

• Hash Functions
• A Hash Function is an efficient transformation of
  an arbitrary message to a hash value of fixed
  length
• The hash value is much smaller than the original
  input
• Additionally, it is difficult to reverse a hash
  function (hash functions are one way)
• collision freeness it is very difficult to find
  two messages resulting in the same hash value.
• Examples MD5, SHA

22
What are Digital Signatures ?
23
What are Digital Signatures ?
24
What are Certificates ?

• How to assure keys and entities match?
• We demand certification !
• Certificates give us the guarantee that the
  mentioned entity and the public key do in fact
  belong together, they bind the identity of a
  person to his public key.
• The pair of identity and public key is digitally
  signed
• Certificates are issued by Certificate
  Authorities after a rigorous check
• Trust to the certificate is implied by trust to
  the Certificate Authority.

25
What are Certificates ?
Server
Servers Private Key
CAs Public Key

Client
Clients Private Key
CAs Public Key

Digitally Signed Certificates
26
What are Certificates ?

• Non-Repudiation
• The holder of a certificate cannot deny his
  authenticity nor refuse his engagements when he
  digitally signed a message with the secret key
  corresponding to the public key in his certificate

27
What is SSL ?

• The Secure Sockets Layer (SSL) Protocol maintains
  security, privacy, and integrity of the
  transmission channel by using encryption,
  authentication and message authentication codes.
• The SSL protocol is able to negotiate encryption
  keys as well as authenticate the server before
  data is exchanged by the higher-level
  application.
• It allows applications to communicate in a way
  that is designed to prevent eavesdropping,
  tampering, or message forgery.
• Invented by Netscape in 1996

28
What is SSL ?

• SSL is application protocol independent. A
  higher level protocol can layer on top of the SSL
  Protocol transparently.
• Application protocol traffic is embedded into SSL
  and encrypted during transfer
• IIOP SSL IIOPS
• HTTP SSL HTTPS

29
What is SSL ?
30
What is SSL ?

• The SSL Handshake Protocol consists of two
  phases.
• During the handshaking process, the public-key
  encryption is used.
• After the exchange of keys, a number of ciphers
  are used, eg. RC2, RC4, IDEA, DES, and triple-DES
  
• The MD5 message-digest algorithm is used.
• The public-key certificates follow the X.509
  syntax

31
What is SSL ?

• Server Authentication
• The server, in response to a client's request,
  sends its certificate and its cipher preferences.
• The client generates a master key, encrypts it
  with the server's public key, and sends the
  result to the server
• The server recovers the master key and
  authenticates itself to the client by returning a
  message signed with the master key
• Subsequent data is encrypted and authenticated
  with keys derived from this master key.

32
What is SSL ?

• Client Authentication (optional).
• The server sends a challenge to the client.
• The client authenticates itself to the server by
  returning the client's digital signature on the
  challenge, as well as its public-key certificate.

33
Tightening up EAServer Security

• AGENDA
• Security Concerns and Risks
• Security Techniques
• Using Security Means in EAServer
• Listener Configuration
• Set protection levels for components
• Protect Server Resources
• Secure Clients
• Protect Data

34
Using Security Means in EAServer

• How to deal with Certificates and keys easily ?
• Use a cryptographic module which is a loadable
  software plugin following the PKCS 11 standard
• EAServer has a PKCS 11 module
• Accessible from Security Manager
• Accessible from Netscape

35
Using Security Means in EAServer

• EAServer Security Manager

36
Using Security Means in EAServer

• Netscape Communicator

37
Using Security Means in EAServer

• Internet Explorer ...

38
Using Security Means in EAServer

• Configure Listener Properties

• Create a listener with protocol https or
  iiops
• Select a Security Profile.

39
Using Security Means in EAServer

• Configure Listener Properties (ctd)
• A security profile specifies the security
  characteristics
• Whether mutual authentication is required
• Which Cipher Suite to use for the encrypted
  connection
• Which certificate the server will send to the
  client note that the site name and the
  certificate common name must match !

40
Using Security Means in EAServer

• Security
• Profile

41
Using Security Means in EAServer

• Configure Listener Properties (ctd)
• Important ! The Listener Properties must match
  the authentication and authorization requirements
• When clients are required to send certificates
  for authentication, _mutual_auth must be
  selected.
• Relation to Authentication Service
• Precedence of Certificates over Username/Password
• Combinations

42
Using Security Means in EAServer

• Authentication for Web Applications
• Authentication is set at Web Application level
• Authentication Mechanisms supported by EAServer
  BASIC, FORM, and HTTPS Mutual Authentication
• BASIC and FORM authentication should be combined
  with encryption to protect the passwords
• In order to work effectively, you must enable an
  Authentication Mechanism for EAServer, eg. OS
  Authentication or Authentication Service

43
Using Security Means in EAServer

• Authentication for Web Applications
• Login Config Authentication Client Certificate

44
Using Security Means in EAServer

• Declarative Authorization
• J2EE Declarative Authorization is based upon
  Roles which are logical privileges
• Roles are assigned to Components to define the
  required privileges needed to access components
• Roles may be attributed to (known) Certificates
• Role Assignment to EJBs and WebResources can be
  defined during development but must be reviewed
  at deployment time.

45
Using Security Means in EAServer

• Authorization with Certificates

46
Using Security Means in EAServer

• Programmatic Authorization
• Role Service
• Alternatively, a custom Authorization Service

47
Using Security Means in EAServer

• Servlet Request Attributes
• javax.servlet.request.cipher-suite
  SSL_RSA_EXPORT_WITH_RC4_40_MD5
• javax.servlet.request.key-size 40
• javax.servlet.request.X509Certificate

48
Using Security Means in EAServer

• Authorization for Web Applications
• The Web Application Provider defines the
  Resources that have to be protected in form of
  Security Constraints
• EAServer will control each access and ensure that
  protected resources are only accessed by
  authenticated and/or authorized users

49
Using Security Means in EAServer

• Authorization for Web Applications
• Security Constraint 0, Zone 0
• Pattern /Calculate
• Role WebAgent, WebSupervisor
• Transport Guarantee Confidential
• Security Constraint 1, Zone 1
• Pattern /Calculate/Interest
• Role WebSupervisor
• Transport Guarantee Confidential

50
Using Security Means in EAServer

• Authorization for Web Applications

51
Using Security Means in EAServer

• Authorization for Web Applications

52
Using Security Means in EAServer

• Declarative Security for EJBs
• The EJB Tier must be protected as well because
  IIOP Listeners do expose them
• Permissions are granted per Method using Roles
• Roles may contain synthetic identities, eg.
  Everybody or Anonymous for unauthenticated users
• For EJB 2.0, a Bean method without role
  assignment cannot be used by any caller !

53
Using Security Means in EAServer

• Set protection levels for components
• Packages, Components, and Methods can be
  configured to have a minimum quality of
  protection that a client connection must have for
  invocation
• com.sybase.jaguar.package.qop
• com.sybase.jaguar.component.qop
• com.sybase.jaguar.method.qop

54
Using Security Means in EAServer

• Set protection levels for components (ctd)
• QOP settings may be
• syb_osauth
• syb_simple, syb_intl, syb_domestic, syb_strong
• or the _mutual_auth variant

55
Using Security Means in EAServer

• Set protection levels for components (ctd)
• Client QOP, Listener QOP, and Component QOP must
  be the same or compatible

56
Using Security Means in EAServer

• Set protection levels for components (ctd)

57
Using Security Means in EAServer

• Retrieving SSL Connection Information
• EAServer passes an object of type
  CtsSecuritySession Info to Authentication,
  Authorization and Role Services
• long getAuthenticationStatus() - SSL relevant
  fields
• AUTH_SSL_SESSION - bit 0
• AUTH_SSL_AUTHENTICATED - bit 1
• CtsSecuritySSLSessionInfo getSSLSessionInfo() -
  only when SSL is used !

58
Using Security Means in EAServer

• Retrieving SSL Connection Information (ctd)
• The SSLSessionInfo object provides access to
• the clients certificate
• the servers certificate
• SSL session properties, eg. Host, Port, Cipher
  Suite, User Data, Entrust properties
• See the Interface Repository for full
  documentation

59
Using Security Means in EAServer

• Authorization
• Take care that the Access Control Rules are
  consistent across all paths by which components
  may be accessed
• It must be avoided that a less protected Method
  or Request can circumvene a more rigorously
  protected method specified by your Security
  Policy.

60
Using Security Means in EAServer

• Clients
• Applets use the SSL infrastucture of the browser
• Java Applications, C, PowerBuilder can use
  native SSL support
• Common Prerequisite for Standalone Clients
• Jaguar Client Certificate Store, Runtime
  Libraries
• Libraries path must be in PATH
• Environment Variable JAGUAR_CLIENT_ROOT

61
Using Security Means in EAServer

• Clients
• In order to establish an SSL Connection, a couple
  of parameters must be set
• PKCS 11 Token Pin
• Quality of Protection
• Certificate Label for Mutual Authentication
• The parameters must be passed to ORB.init()
• Alternatively, user the SSLServiceProvider

62
Using Security Means in EAServer

• Securing C Clients
• char orb_args "-ORBpin", "sybase",
  "-ORBqop", "sybpks_intl_mutual_auth",
  "-ORBcertLabel", Markus_1"
• CORBAORB_var orb CORBAORB_init(6,
  orb_args, 0)
• SessionManagerManager_var manager
  SessionManagerManager_narrow(
  orb-gtstring_to_object("iiops//localhost9002"))

63
Using Security Means in EAServer

• Securing PB Clients
• String ls_init
• ls_init
•   ORBNameServiceURL'iiop//HOST9002',
  ORBqopsybpks_intl_mutual_auth, ORBpinsybase,
  ORBcertificateLabelMarkus_1
• ORB.init (ls_init)

64
Using Security Means in EAServer

• Securing Java Clients
• Properties p new Properties()
• p.put("org.omg.CORBA.ORBClass", ...CORBA.ORB")
• p.put("com.sybase.CORBA.pin", "sybase")
• p.put("com.sybase.CORBA.qop", "qop")
• p.put("com.sybase.CORBA.certificateLabel",Markus_
  1")
• ORB orb ORB.init((String)null, p)
• Manager manager ManagerHelper.narrow(
  orb.string_to_object(iiops//host9002))

65
Using Security Means in EAServer

• JNDI based Clients
• Properties props new Properties()
• props.put(Context.INITIAL_CONTEXT_FACTORY,
  "com.sybase.ejb.InitialContextFactory")
• props.put(Context.SECURITY_PRINCIPAL,
  "jagadmin")
• props.put(Context.SECURITY_CREDENTIALS, "")

66
Using Security Means in EAServer

• JNDI based Clients (ctd)
• props.put(Context.PROVIDER_URL,
  "iiops//localhost9001")
• props.put("com.sybase.ejb.pin", "sybase")
• props.put("com.sybase.ejb.qop", "sybpks_intl")
• props.put("com.sybase.ejb.certificateLabel",Marku
  s_1")
• InitialContext ic new InitialContext(props)
• CalcHome home (CalcHome)ic.lookup("Calculator")
  
• Calc calc home.create()

67
Using Security Means in EAServer

• SSLServiceProvider
• import CtsSecurity.
• SSLServiceProvider prov
• prov SSLServiceProviderHelper.narrow(
  orb.resolve_initial_references("SSLServiceProvider
  "))
• prov.setGlobalProperty("qop", "sybpks_intl")
• prov.setGlobalProperty("callbackImpl",
  "SSLCallback")

68
Using Security Means in EAServer

• SSLServiceProvider
• The callback class SSLCallback must implement
  CtsSecurity.SSLCallbackIntf
• getPin ()
• getCertificateLabel ()
• trustVerify ()
• getCredentialAttribute ()
• The ORB invokes callback methods when required
  information is missing or incorrect.

69
Using Security Means in EAServer

• Retrieving SSL Connection Information
• Clients and Components can retrieve detailed
  information on the security characteristics of a
  connection
• Client code narrows the object reference to
  CtsSecuritySesssionInfo
• A component inside the server instantiates a
  pseudo reference to CtsSecuritySesssionInfo

70
Using Security Means in EAServer

• Retrieving SSL Connection Information
• If SSL is enabled, you can get a SSLSessionInfo
  object by calling SessionInfo.getSSLSessionInfo()
• The SSLSessionInfo provides access to the client
  certificate and allows to inspect the
  characteristics of the session
• certificateLabel
• host, port
• cipherSuite, qop
• ...

71
Using Security Means in EAServer
Authentication with Certificates
External Client
Encryption
IIOPS
OS or Custom Authentication
Internal Client
IIOP

72
Security Risks the Solution
Firewall
Encryption
Authentication Authorization
73
Using Security Means in EAServer

• Solution
• Eavesdropping ? Encryption
• Data tampering ? Digital Signatures
• Masquerading ? Certificate based Authentication
• Misused Resources ? Authorization of
  authenticated Users
• Repudiation ? Certificates, Digital Signatures

74
Using Security Means in EAServer

• References
• Security Administration and Programming Guide
• Interface Repository
• WebSites of known manufacturers
• RSA Securities (extended FAQ)
• Netscape (Details about SSL)
• Verisign, Thawte

75
Summary

• Modern internet-open distributed architectures
  and eßbusiness applications have inherent
  security issues that impose appropriate
  treatment.
• Means and techniques to solve or reduce them
  considerably are
• Encryption
• Signatures
• Digital Signatures

76
E138Tightening up EAServer Security

• Markus Ohly
• Sybase European CSS
• Markus.Ohly_at_sybase.com