DCOM Explained
by Rosemary Rock-Evans
Digital Press
ISBN: 1555582168   Pub Date: 09/01/98

Previous Table of Contents Next


The Functions of Protection

To decide which mechanisms we should use to protect ourselves, we need to take a first step and decide which services or functions we need. There are six main functions used to protect the distributed application from the risks I have described.

  Authorization
  Authentication
  Privacy
  Integrity checking
  Nonrepudiation
  Audit

Two further services do exist—the guaranteed delivery service we described earlier in the chapter on MSMQ and the error reporting services we looked at in an earlier chapter on Communication services. I will add a small note on these to show how they are relevant to the security area.

Authentication-This mechanism ensures that the process or user requesting access to a system is the process/user it claims to be. Authentication is thus a test of “proof of identity,” a particularly difficult service to implement in distributed applications—especially if they also operate across the Internet. The principals in a transaction must be able to prove who they are, whether they are outside or inside the organization. Ideally, authorization should be bilateral—the client should know who the server is and the server must know the client.

Theoretically, the user should be authenticated each time a new message is sent from that same user, but in practice once the process has been authenticated, most authentication services issue the user or process with a code or “ticket” that can be used for the duration of processing. The ticket is “attached” to the messages within the conversation so that authentication does not have to be repeated over and over again. This “ticket” has a lifetime—to avoid other users, attaching themselves to the network on the same ticket.

Authorization-Is a service which ensures that the user or process, once it has proved it is authentic, is allowed to request the specific service or resource it has requested. Thus, authorization establishes whether an authenticated principal is entitled to use a service (application) or access defined information.

Privacy-This service aims to protect the confidentiality of data en route or on file. The way this is achieved in practice is by using encryption. Encryption is a way of encoding data that makes it unintelligible to any casual browser of the system using normal tools. The data is encrypted and decrypted by special purpose secure routines. Encryption methods include:

  symmetric or secret key encryption-Where a single secret key is used to encrypt and decrypt a message.
  asymmetric or public key encryption-Where one key is used to encrypt a message and a different but related key used to decrypt it. Two keys are used—the public and private key. The keys are mathematically related so that something encrypted with one can only be decrypted by the other.

Integrity checking-Where a message has to be divided into blocks for transmission, or even when only one block is sent, a check is needed to ensure the information has not been changed in transmission. It is important to understand that network software does not necessarily do this for you (it does depend on the network software). Since distributed applications are designed to run across many network protocols, the developer has to assume the worst—that at least one of the network software products being used won’t do integrity checking.

Nonrepudiation-Works at the level of an individual message, once the principal has been authorized and authenticated. Nonrepudiation provides a means of authenticating each message—protecting against the forging of a message or denial of transmission or receipt of a message. This capability is especially important for electronic commerce. It ensures, for example, that a user does not deny the transmission of a commercial transaction—an order, for example, or receipt of goods.

Audit-Whereas the other functions in this list are preventative measures designed to stop abuse before it actually happens, audit is aimed at detecting any abuse if it has slipped through the net. Audit is thus a monitoring activity. The subfunctions of audit include the collection of all transmission data—not just alarms—the storage of the data, functions to help in analysis, and functions to help in archival of the data.

Guaranteed delivery and error reporting-We saw that, in general, a middleware product can either report on the nondelivery of a message by using error reporting, or it can provide services which actually help to guarantee delivery. What I did not explain is why these services are needed at all. Most network software provides a “best effort” delivery service. TCP/IP and the IP protocol is not designed, for example, to guarantee quality of service. It will do its best to deliver the packet, but if the packet is lost en route, it is lost en route. There is a reason for this in a product like TCP/IP.

TCP/IP divides the message the sender gives it into packets, which then follow logical rather than physical paths through the network. The service is connectionless—in other words, the network ignores which pairs of end systems have entered into the communication. Each machine forwards the packet on using information in the packet’s header until it reaches its final destination. No acknowledgments of receipt are sent to the sender when a packet is received. It is relatively easy to intercept packets as they pass through a machine en route to their destination and remove them, alter their address (all it needs is a change of the header), alter their contents, and so on. Network software therefore does not provide any protection for the sorts of risks we saw were associated with data en route—hence the need for services in the middleware.

Functions and risks

Which functions protect against which risks? In the table below I have provided a chart to suggest which services are used to protect against which risks.

Table 16.1 Functions and risks

As you can see, authentication and authorization services are always used together to protect against unauthorized access to services or data on a machine. Whereas encryption and integrity checking are the primary services for ensuring the message is transported across the network without interference, coupled with the error checking and guaranteed delivery services we have already described.

Remember that the “application” and data I include in this table could be not only business applications but systems software and vendor-provided software. So, for example, we could have protection for Web servers (an application) and the pages on the Web server (data) probably defined at the page level.


Previous Table of Contents Next