17 June 1998
See related Security in Tina: http://jya.com/tina-sec.htm
From: "christian masson" <interception50@hotmail.com> To: jya@pipeline.com Subject: CORBA SECURITY Date: Wed, 17 Jun 1998 02:57:44 PDT PART II CORBA SECURITY This work has been supported by the Swiss National Science Foundation as part of the Swiss Priority Programme Information and Communications Structures under project no. 5003-045364. Security is enforced using security functionality built into the system. The CORBA security (http://www.omg.org) Security spesification defines the following security functionality: . Identification and authentication of principals to verify they are who they claim to be. . Authorization and access control to decide wheter a principal can access an object. . Security auditing to make principals accountable for their security related actions. Auditing mechanisms are coupled with authentification functions in order to be able to identify the principal correctly. . Secure communication between objects, which requires the establishment of security associations between clients and target objects, and integrity and/or confidentiality protection of messages in transit between them. . Non-repudiation to provide evidence of actions such as proof of origin or receipt of data. . Administration of security information. Most of these security functions are perfomed during a secure object invocation, which is the basic notion of the specification. Each secure object invocation requires an established security association between the client and the target object. The security association is established by authentification between the client and the target, making the clint's security attributes (identity and privileges) available at the target side, and establishing the security context that will be used when protecting messages in transit between the client and the target object. The way of establishing a security association depends on the security policies that govern both the client and the target object. Associations will normally persist for many interactions. For each object invocation, the request from the client to the target object is subject to access control. Access control may take place at the client side, the target side, or both sides according to the access control policy. The access decision is based on the client's security attributes, the target's control attributes (e.g., the operation and data) and about the context (e.g., the current time). This general model enables a large variety of access control schemes, ranging from access control lists, over capabilities, to label based schemes. The scale of access control is specified, but it can be assumed that implementors will provide access control down to the granularity of operations. In many cases, objects perform operations on behlaf of the initiator, which can be a human user or a system entity, needs to delegate some or all of its privilege attributesto the intermediate objects that will act on its behalf. The CORBA Security specification is very general and enables virtually all kinds of delegation models (simple, composite, combined and trace delegation). The actual type of designation is selected according to the delegation policy either by the ORB system automatically, or by applications via well defined interfaces. Depending on the security policy, the integrity and/or confidentiality of the messages between the client and the target object may be protected, and optionally non-repudiation may be provided by cryptographic means. For the detection of actual or attempted security violations, security auditing is perfomed. Depending on the implementation, recording security relevant events may involve writing event information to a log, and/or generating an alarm. Audit policies specify which events should be audited under which circumstances. A distributed objects system may consist of a huge amount of objects with a possibly even larger amount of security associations between them. This fact raises the issue of scalability. In order to cope with the scalability problem, the notion of domains is introduced. Three types of domains with regard to security are defined by the CORBA Security specification: security policy domains, security environment domains, and security technology domains. A security policy domain is the scope over which a security policy is enforced. A security policy domain is administered by a single security authority. A security environment domain is a domain in which the enforcement of the security policy is achieved by local means (e.g., objects on the same machine). The security technology domain is a set of objects for which the same security technology (e.g. Kerberos(Neuman and Ts'o 1994)) is used to provide security. Each security domain contains a domain manager object that references the valid security policy objects for that domain. A security policy object (e.g., access control, delegation, secure invocation, or audit policy), which is defined and managed by the security administrator of the domain. Upon the creation of an object, the ORB implicitly associates the object with one or more security domains according to the construction policy (the objects can be moved between domains later on) and then transparently enforces the security policies of those domains. In this way, security is provided to all applications, even to those that are unaware of it. Additional security measures may be enforced by the applications themselves. This may be done by additional enforcement of administrator defined policies, and/or direct use of security features (e.g., non-repudiation) via application interfaces. The security measures enforced by the applications cannot override the security policies defined by the administrator. The rationale behind these two levels of security is the fact that in the general case, application developers cannot be expected to be aware of all the threats to which the system will be subject, and to put the right contermeasures in place. On the other hand, there are mission critical applications that require the application programmer to have more control over security. The security functionality described above is provided by ORB Security services that may rely on some underlying security technology, which itself may use operating system machanisms and additional security hardware. During secure object invocations, the ORB intercepts the requests and replies between the client and the target object and calls the appropriate security services. Some of the security services can be invoked by the applications directly, to enforce their own security preferences. An important aspect of this architecture is that the components that implement the security services are independent of any specific security technology. The spefification allows the use of an isolating interface (e.g., GSS-API(IETF 1993)) between this level and the security technology, allowing different security technologies to be accomodated within the architecture, such as technologies based on operating system protection mechanisms, existing security components (e.g., cryptographic libraries), or a set of distributed security services. The specification of secure interoperability between different CORBA implementations extends the CORBA 2.0 standard. A new protocol, the Secure Inter-ORB Protocol (SECIOP) is specified, which enables secure interactions of clients and target objects that reside on different ORBs, as long as the same security technology is used on both sides. The information, which security technology an object supports is part of the interoperable object reference (IOR). Based on the information in the IOR, a security context acceptable for both sides can be established. The establishment of the security association and the protection of messages are controlled by security tokens that are added to the inter-ORB protocols. Key management is not explicitly dealt with in the CORBA Security specification. The Common Secure Interoperability document (OMG 1996) specifies the use of the protocols of three security technologies within SECIOP, namely SPKM, Kerberos, and the ECMA security protocol. If the interoperability between the ORBs is based on DCE (OSF 1992), then the DCE security technology (X/Open 1994) based on the Kerberos protocols can also be used. A recent addendum (OMG 1997) allows also the Secure Socket Layer (SSL) (Netscape 1996 http://home.netscape.com/assist/security/ssl/) to be the basis of inter-ORB security. AUAP Access Related User Application SUAP Service Related User Application PA Provider Agent IA Initial Agent UA User Agent SF Service Factory USM User Session Manager SSM Service Session Manager CSM Communication Session Manager CPE Costumer Premises Equipment TCSM Terminal Communication Session Manager KTN Kernel Transport Network ODL Object Description Language NCCE Native Computing and Communications Environment ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com