Title: E138 Tightening up EAServer Security
1E138Tightening up EAServer Security
- Markus Ohly
- Sybase European CSS
- Markus.Ohly_at_sybase.com
2Tightening up EAServer Security
- AGENDA
- Security Concerns and Risks
- Security Techniques
- Applying Security Techniques to EAServer
3Tightening up EAServer Security
- AGENDA
- Security Concerns and Risks
- Introduction
- Fighting against Risks and Dangers
- Security Techniques
- Applying Security Techniques to EAServer
4Security Concerns and Risks
5Security Concerns and Risks
- Disclosure of confidential information
(Eavesdropping) - Modification, Deletion, Reuse of data (Data
tampering) - Misuse of protected resources
- Misuse that compromises availability
- Masquerading, Misrepresentation and Repudiation
- Sender claims that he did not send a message
- Repetition of original messages
- Compromised Privacy, Integrity, and Accountability
6Security Concerns and Risks
- Fighting against Risks and Dangers
- Your company is in danger when computing
resources fail, are unavailable, or compromised. - Not all of the threats can be easily eliminated
(if at all) - Reduce exposure to an acceptable level
- Use Security Means
7Security Concerns and Risks
- Fighting against Risks and Dangers
- Authentication
- Mechanism by which callers and servers prove to
one another that they are acting on behalf of
specific users - A component acting as an intermediary in a call
chain may impersonate the user the originating
user or have its own identity. - Normally, Authentication builds the basis for
Authorization
8Security Concerns and Risks
- Fighting against Risks and Dangers
- Authorization
- Authorization mechanisms limit usage of resources
to users, groups, or systems for the purpose of
enforcing integrity, confidentiality, or
availability constraints. - Protected Resources are distinguished by the
presence of authorization rules that grant access
only to authentic caller identities
9Security Concerns and Risks
- Fighting against Risks and Dangers
- Networe Architecture
- Firewalls
- DMZs
- Proxies
- Auditing
- Public Key Cryptography
- Encryption
- Digital Signatures
10Tightening up EAServer Security
- AGENDA
- Security Concerns and Risks
- Security Techniques
- What is Encryption ?
- What are Certificates ?
- What are Digital Signatures ?
- What is SSL ?
- Applying Security Techniques to EAServer
11What is Encryption ?
- A Mathematical Domain allowing to scramble data
to keep it safe from external "eyes and thus
ensures a high level of security - Two major types of cryptographic algorithms
exist - Symmetric encryption (secret key cryptography)
- Asymmetric encryption (public key cryptography)
12What is Encryption ?
13What is Encryption ?
- Secret Key Cryptography
- Algorithms DES, Triple-DES, RC2, RC4, RC5
- Advantage Fast and efficient
- Problem Key exchange
- The keys must be shared by both end points
- How to keep the shared key secret ?
14What is Encryption ?
- Public Key Cryptography
- Solution to the key exchange problem
- Diffie, Hellman (1976)
- Rivest, Shamir, Adleman (1978)
- Public key encryption is based upon a key pair
- public key and private key
- It is VERY VERY difficult to compute the private
key from the known public key
15What is Encryption ?
- Public Key Cryptography
- Public and private keys are inverse and can be
applied in two directions - Encryption Equation
- D(private, E(public, m)) m
- Authenticity Equation
- D(public, E(private, m)) m
16What is Encryption ?
17What is Encryption ?
- Public Key Cryptography
- D(private, E(public, m)) m (Encryption
Equation) - Everyone can send secret messages to a person
using the public key of the addressee - Arbitrary individuals cannot decrypt messages
encrypted with a public key because they do not
know and cannot compute the private key - Only a person having the matching private key can
decrypt the message
18What is Encryption ?
- Public Key Cryptography
- Advantage No secret key exchange, only public
keys are exchanged - Disadvantages
- CPU intensive (factor 100 to DES in Software)
- Performance hit on busy site with lots of
connections - Known algorithms RSA (Rivest, Shamir, Adleman)
19What are Digital Signatures ?
- Authenticity Equation
- D(public, E(private, m)) m
- Using the private key for encryption can only be
done by the key owner - Everybody can read the message but nobody is able
to change it - Messages with digital signatures are authentic
20What are Digital Signatures ?
- How to digitally sign a document ?
- Compute a Message Digest of fixed length by
applying a Hash Function to the document - Authenticate the Message Digest, that is encrypt
the Message Digest with your private key - How to verify a Digital Signature ?
- Apply the Hash Function to the received text
- Decrypt the provided Digest using the public key
- Authenticity is prooved if both results match
21What are Digital Signatures ?
- Hash Functions
- A Hash Function is an efficient transformation of
an arbitrary message to a hash value of fixed
length - The hash value is much smaller than the original
input - Additionally, it is difficult to reverse a hash
function (hash functions are one way) - collision freeness it is very difficult to find
two messages resulting in the same hash value. - Examples MD5, SHA
22What are Digital Signatures ?
23What are Digital Signatures ?
24What are Certificates ?
- How to assure keys and entities match?
- We demand certification !
- Certificates give us the guarantee that the
mentioned entity and the public key do in fact
belong together, they bind the identity of a
person to his public key. - The pair of identity and public key is digitally
signed - Certificates are issued by Certificate
Authorities after a rigorous check - Trust to the certificate is implied by trust to
the Certificate Authority.
25What are Certificates ?
Server
Servers Private Key
CAs Public Key
Client
Clients Private Key
CAs Public Key
Digitally Signed Certificates
26What are Certificates ?
- Non-Repudiation
- The holder of a certificate cannot deny his
authenticity nor refuse his engagements when he
digitally signed a message with the secret key
corresponding to the public key in his certificate
27What is SSL ?
- The Secure Sockets Layer (SSL) Protocol maintains
security, privacy, and integrity of the
transmission channel by using encryption,
authentication and message authentication codes. - The SSL protocol is able to negotiate encryption
keys as well as authenticate the server before
data is exchanged by the higher-level
application. - It allows applications to communicate in a way
that is designed to prevent eavesdropping,
tampering, or message forgery. - Invented by Netscape in 1996
28What is SSL ?
- SSL is application protocol independent. A
higher level protocol can layer on top of the SSL
Protocol transparently. - Application protocol traffic is embedded into SSL
and encrypted during transfer - IIOP SSL IIOPS
- HTTP SSL HTTPS
29What is SSL ?
30What is SSL ?
- The SSL Handshake Protocol consists of two
phases. - During the handshaking process, the public-key
encryption is used. - After the exchange of keys, a number of ciphers
are used, eg. RC2, RC4, IDEA, DES, and triple-DES
- The MD5 message-digest algorithm is used.
- The public-key certificates follow the X.509
syntax
31What is SSL ?
- Server Authentication
- The server, in response to a client's request,
sends its certificate and its cipher preferences. - The client generates a master key, encrypts it
with the server's public key, and sends the
result to the server - The server recovers the master key and
authenticates itself to the client by returning a
message signed with the master key - Subsequent data is encrypted and authenticated
with keys derived from this master key.
32What is SSL ?
- Client Authentication (optional).
- The server sends a challenge to the client.
- The client authenticates itself to the server by
returning the client's digital signature on the
challenge, as well as its public-key certificate.
33Tightening up EAServer Security
- AGENDA
- Security Concerns and Risks
- Security Techniques
- Using Security Means in EAServer
- Listener Configuration
- Set protection levels for components
- Protect Server Resources
- Secure Clients
- Protect Data
34Using Security Means in EAServer
- How to deal with Certificates and keys easily ?
- Use a cryptographic module which is a loadable
software plugin following the PKCS 11 standard - EAServer has a PKCS 11 module
- Accessible from Security Manager
- Accessible from Netscape
35Using Security Means in EAServer
- EAServer Security Manager
36Using Security Means in EAServer
37Using Security Means in EAServer
38Using Security Means in EAServer
- Configure Listener Properties
- Create a listener with protocol https or
iiops - Select a Security Profile.
39Using Security Means in EAServer
- Configure Listener Properties (ctd)
- A security profile specifies the security
characteristics - Whether mutual authentication is required
- Which Cipher Suite to use for the encrypted
connection - Which certificate the server will send to the
client note that the site name and the
certificate common name must match !
40Using Security Means in EAServer
41Using Security Means in EAServer
- Configure Listener Properties (ctd)
- Important ! The Listener Properties must match
the authentication and authorization requirements - When clients are required to send certificates
for authentication, _mutual_auth must be
selected. - Relation to Authentication Service
- Precedence of Certificates over Username/Password
- Combinations
42Using Security Means in EAServer
- Authentication for Web Applications
- Authentication is set at Web Application level
- Authentication Mechanisms supported by EAServer
BASIC, FORM, and HTTPS Mutual Authentication - BASIC and FORM authentication should be combined
with encryption to protect the passwords - In order to work effectively, you must enable an
Authentication Mechanism for EAServer, eg. OS
Authentication or Authentication Service
43Using Security Means in EAServer
- Authentication for Web Applications
- Login Config Authentication Client Certificate
44Using Security Means in EAServer
- Declarative Authorization
- J2EE Declarative Authorization is based upon
Roles which are logical privileges - Roles are assigned to Components to define the
required privileges needed to access components - Roles may be attributed to (known) Certificates
- Role Assignment to EJBs and WebResources can be
defined during development but must be reviewed
at deployment time.
45Using Security Means in EAServer
- Authorization with Certificates
46Using Security Means in EAServer
- Programmatic Authorization
- Role Service
- Alternatively, a custom Authorization Service
47Using Security Means in EAServer
- Servlet Request Attributes
- javax.servlet.request.cipher-suite
SSL_RSA_EXPORT_WITH_RC4_40_MD5 - javax.servlet.request.key-size 40
- javax.servlet.request.X509Certificate
48Using Security Means in EAServer
- Authorization for Web Applications
- The Web Application Provider defines the
Resources that have to be protected in form of
Security Constraints - EAServer will control each access and ensure that
protected resources are only accessed by
authenticated and/or authorized users
49Using Security Means in EAServer
- Authorization for Web Applications
- Security Constraint 0, Zone 0
- Pattern /Calculate
- Role WebAgent, WebSupervisor
- Transport Guarantee Confidential
- Security Constraint 1, Zone 1
- Pattern /Calculate/Interest
- Role WebSupervisor
- Transport Guarantee Confidential
50Using Security Means in EAServer
- Authorization for Web Applications
51Using Security Means in EAServer
- Authorization for Web Applications
52Using Security Means in EAServer
- Declarative Security for EJBs
- The EJB Tier must be protected as well because
IIOP Listeners do expose them - Permissions are granted per Method using Roles
- Roles may contain synthetic identities, eg.
Everybody or Anonymous for unauthenticated users - For EJB 2.0, a Bean method without role
assignment cannot be used by any caller !
53Using Security Means in EAServer
- Set protection levels for components
- Packages, Components, and Methods can be
configured to have a minimum quality of
protection that a client connection must have for
invocation - com.sybase.jaguar.package.qop
- com.sybase.jaguar.component.qop
- com.sybase.jaguar.method.qop
54Using Security Means in EAServer
- Set protection levels for components (ctd)
- QOP settings may be
- syb_osauth
- syb_simple, syb_intl, syb_domestic, syb_strong
- or the _mutual_auth variant
55Using Security Means in EAServer
- Set protection levels for components (ctd)
- Client QOP, Listener QOP, and Component QOP must
be the same or compatible
56Using Security Means in EAServer
- Set protection levels for components (ctd)
57Using Security Means in EAServer
- Retrieving SSL Connection Information
- EAServer passes an object of type
CtsSecuritySession Info to Authentication,
Authorization and Role Services - long getAuthenticationStatus() - SSL relevant
fields - AUTH_SSL_SESSION - bit 0
- AUTH_SSL_AUTHENTICATED - bit 1
- CtsSecuritySSLSessionInfo getSSLSessionInfo() -
only when SSL is used !
58Using Security Means in EAServer
- Retrieving SSL Connection Information (ctd)
- The SSLSessionInfo object provides access to
- the clients certificate
- the servers certificate
- SSL session properties, eg. Host, Port, Cipher
Suite, User Data, Entrust properties - See the Interface Repository for full
documentation
59Using Security Means in EAServer
- Authorization
- Take care that the Access Control Rules are
consistent across all paths by which components
may be accessed - It must be avoided that a less protected Method
or Request can circumvene a more rigorously
protected method specified by your Security
Policy.
60Using Security Means in EAServer
- Clients
- Applets use the SSL infrastucture of the browser
- Java Applications, C, PowerBuilder can use
native SSL support - Common Prerequisite for Standalone Clients
- Jaguar Client Certificate Store, Runtime
Libraries - Libraries path must be in PATH
- Environment Variable JAGUAR_CLIENT_ROOT
61Using Security Means in EAServer
- Clients
- In order to establish an SSL Connection, a couple
of parameters must be set - PKCS 11 Token Pin
- Quality of Protection
- Certificate Label for Mutual Authentication
- The parameters must be passed to ORB.init()
- Alternatively, user the SSLServiceProvider
62Using Security Means in EAServer
- Securing C Clients
- char orb_args "-ORBpin", "sybase",
"-ORBqop", "sybpks_intl_mutual_auth",
"-ORBcertLabel", Markus_1" - CORBAORB_var orb CORBAORB_init(6,
orb_args, 0) - SessionManagerManager_var manager
SessionManagerManager_narrow(
orb-gtstring_to_object("iiops//localhost9002"))
63Using Security Means in EAServer
- Securing PB Clients
- String ls_init
- ls_init
- ORBNameServiceURL'iiop//HOST9002',
ORBqopsybpks_intl_mutual_auth, ORBpinsybase,
ORBcertificateLabelMarkus_1 - ORB.init (ls_init)
64Using Security Means in EAServer
- Securing Java Clients
- Properties p new Properties()
- p.put("org.omg.CORBA.ORBClass", ...CORBA.ORB")
- p.put("com.sybase.CORBA.pin", "sybase")
- p.put("com.sybase.CORBA.qop", "qop")
- p.put("com.sybase.CORBA.certificateLabel",Markus_
1") - ORB orb ORB.init((String)null, p)
- Manager manager ManagerHelper.narrow(
orb.string_to_object(iiops//host9002))
65Using Security Means in EAServer
- JNDI based Clients
- Properties props new Properties()
- props.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sybase.ejb.InitialContextFactory") - props.put(Context.SECURITY_PRINCIPAL,
"jagadmin") - props.put(Context.SECURITY_CREDENTIALS, "")
66Using Security Means in EAServer
- JNDI based Clients (ctd)
- props.put(Context.PROVIDER_URL,
"iiops//localhost9001") - props.put("com.sybase.ejb.pin", "sybase")
- props.put("com.sybase.ejb.qop", "sybpks_intl")
- props.put("com.sybase.ejb.certificateLabel",Marku
s_1") - InitialContext ic new InitialContext(props)
- CalcHome home (CalcHome)ic.lookup("Calculator")
- Calc calc home.create()
67Using Security Means in EAServer
- SSLServiceProvider
- import CtsSecurity.
- SSLServiceProvider prov
- prov SSLServiceProviderHelper.narrow(
orb.resolve_initial_references("SSLServiceProvider
")) - prov.setGlobalProperty("qop", "sybpks_intl")
- prov.setGlobalProperty("callbackImpl",
"SSLCallback")
68Using Security Means in EAServer
- SSLServiceProvider
- The callback class SSLCallback must implement
CtsSecurity.SSLCallbackIntf - getPin ()
- getCertificateLabel ()
- trustVerify ()
- getCredentialAttribute ()
- The ORB invokes callback methods when required
information is missing or incorrect.
69Using Security Means in EAServer
- Retrieving SSL Connection Information
- Clients and Components can retrieve detailed
information on the security characteristics of a
connection - Client code narrows the object reference to
CtsSecuritySesssionInfo - A component inside the server instantiates a
pseudo reference to CtsSecuritySesssionInfo
70Using Security Means in EAServer
- Retrieving SSL Connection Information
- If SSL is enabled, you can get a SSLSessionInfo
object by calling SessionInfo.getSSLSessionInfo() - The SSLSessionInfo provides access to the client
certificate and allows to inspect the
characteristics of the session - certificateLabel
- host, port
- cipherSuite, qop
- ...
71Using Security Means in EAServer
Authentication with Certificates
External Client
Encryption
IIOPS
OS or Custom Authentication
Internal Client
IIOP
72Security Risks the Solution
Firewall
Encryption
Authentication Authorization
73Using Security Means in EAServer
- Solution
- Eavesdropping ? Encryption
- Data tampering ? Digital Signatures
- Masquerading ? Certificate based Authentication
- Misused Resources ? Authorization of
authenticated Users - Repudiation ? Certificates, Digital Signatures
74Using Security Means in EAServer
- References
- Security Administration and Programming Guide
- Interface Repository
- WebSites of known manufacturers
- RSA Securities (extended FAQ)
- Netscape (Details about SSL)
- Verisign, Thawte
75Summary
- Modern internet-open distributed architectures
and eßbusiness applications have inherent
security issues that impose appropriate
treatment. - Means and techniques to solve or reduce them
considerably are - Encryption
- Signatures
- Digital Signatures
76E138Tightening up EAServer Security
- Markus Ohly
- Sybase European CSS
- Markus.Ohly_at_sybase.com