DCOM Explained
by Rosemary Rock-Evans Digital Press ISBN: 1555582168 Pub Date: 09/01/98 |
Previous | Table of Contents | Next |
Authorization
Most authorization is implemented in practice using Access Control Lists (ACLs). But Access Control Lists can differ quite markedly in their levels of sophisticationfrom exceptionally weak to pretty near foolproof.
We saw in the section on policy that the security administrator sets policy by stating:
Ideally, and at its best, the Access Control List should be able to record every one of the criteria and rules stated in the policy, and the Access Control service should moreover be able to check all these things too. Authentication establishes the identity of the user and is the key entry point to an Access Control List. Each user will have a whole list of allowed accesses he or she is allowed to perform.
When a user requests a service, for example, the Authentication service will first check the identity of the user. Once this has been established, the Access Control Service should take over using the authenticated identity as the key (more than one key may be permissible here to cater for multiple identities). Access Control services should not only check that the user is allowed to request the service but should check that the user is accessing the service from the right location, from the designated machine, is accessing the service on the machine he or she is allowed to, and at the times of the day he or she is allowed access.
It has to be said that most middleware productsmost security products for that matterfall very far short of this ideal. Some are very poor and only check the service itselfno times of day, no machine restrictionsnothing else at all. Some are a little better with times and machines allowed, but overall, dont expect too much from any of the productssomething I feel needs to be urgently addressed.
Access Control Lists must be secure files subject to Access Control (it must be a secure file as there is no point in having it). The contents of the file are set up manually by the administrator using the security policy document. This file can be a:
As we saw with the user/password approach, the first option, especially if it uses replication, is probably the best solution, as it saves the administrator effort and is more easy to keep secure.
One further means of implementing authorization rules is to issue the policy rules with Digital Certificates. Policies recorded in this way are called Digital Certificate Privileges. Clearly, for this to work well, the policy rules must be exceptionally stable, and the user themselves should not be able to gain access to the rules. I feel that this is actually a less satisfactory solution altogether, requiring far more administrative work and liable to error. I wont therefore be covering it further.
Encryption
We saw that there were essentially two methods of encryptionpublic and secret key.
Public-Public key encryption is based on the Digital Certificates we saw in the previous section. Where a message from one process to another is to be encrypted, however, the sender uses the public key of the recipient to encrypt the message. By doing this only the recipient is able to decrypt the message as only the recipient has the private key. The sender first gets the public key of the recipient from the Directory of public keys. The public key is then used by the sender to encrypt the message. It is then sent and decrypted by the recipient using its private key.
But how can the person sending the message be sure that the public key they are about to use is really that of the recipient? If they use the wrong keyare fooled into thinking another key is the public keythey could encrypt the message and it is then diverted by the interloper and decrypted with his private key.
The key is in the way the Directory sends the public key to the sender. The sender applies to the Trusted Third Party/Digital Certificate Authority and requests the public key of the recipient, using some identifier of the recipient. The Digital Certificate Authority encrypts the public key with its own private key. The sender has a permanent record of the public key of the Digital Certificate Authority and can then decrypt the message and extract the public key of the recipient.
What does this actually achieve? By doing this, the message could only have come from the Digital Certificate Authority, as only the Digital Certificate Authority has the private key to encrypt the message, so the sender can be confident that an interloper has not butted into the conversation and substituted some other public key for the recipients. In essence, the sender can be confident that only the intended recipient can read the message.
These messages containing the public key of some process encrypted using the DCAs private key are known as Public Key Certificates. Public key encryption is an especially useful form of encryption method because it can be used over the Internet as long as the Directory of public keys is accessible to the sender. It means that any user, wherever they are located, can encrypt a message before it is sent across the line without having to prestore any encryption routines on the machine he or she is using.
Previous | Table of Contents | Next |