ISM/ISC Middleware Module

ISM/ISC Middleware Module Lecture 13: Security for Middleware Applications Dr Geoff Sharman Visiting Professor in Computer Science Birkbeck College Geoff Sharman Sept 07

Lecture 13 Aims to: 2 Show why security is important and differentiate network security from application security Describe commonly used network security measures provided by firewalls Introduce the various forms of application security which are relevant to transactional applications Explain how encryption is used to support security measures and how it is administered

Problems can Happen! The following sites were attacked in Feb 2000, using Trojan Horses and automated tools which resulted in denial of service: Yahoo CNN e-bay Buy.com MSN E*Trade Amazon.com ZDNet Outages lasted three to five hours in most cases Attacks were declared a Criminal Offence, FBI investigated Revenue losses in advertising and sales estimated at $100m Affected companies planned to spend $100m-$200m on security 3

We Know Security is Important... but what are the risks? Web site subverted by hackers/trojan horses Major outage due to denial of service attack Sensitive data seen by unauthorised users Transactions committed by unauthorised users Users do not pay for goods received Bad publicity as a result of problems, e.g: "Report Says Web Hacks to Cost $1.2Bn" Government data loss anger How do we pick this apart and decide what to do? 4

What are we Trying to Protect? Major organisational assets: Data/information Capability to commit transactions Processing resources Other assets, e.g. money Reputation - need to understand their value & level of risk These might be lost or damaged by user error, unauthorised users, faulty software / applications, or inadequate procedures 5 The basis of all security is physical security system is only as good as its administrator

6 Networking Security

Networking Security Hazards By tradition, systems running Middleware applications use private networks, e.g: ATM, POS, and Call Centre systems These are physically protected against wire-tapping and mis-use of network endpoints, e.g. supermarket till Only accessible to authorised employees 7

Networking Security Hazards (II) e-commerce is based on public networks using Internet Protocol (IP) Network endpoints may be anywhere in the world Network addresses may be assigned dynamically (DHCP), so cannot be traced Traffic is packet based, may be intercepted & manipulated by routers and other computers Transmission Control Protocol (TCP) enables endto-end sessions by creating virtual circuits 8 Need to isolate in-house network from public network via a firewall gateway

Firewall Technologies www.me.org ==> 86.140.182.229 DNS Application proxy Network Address Translation Rules Network router Insecure network Secure network 9 Filter: limited IP connectivity Proxy: no direct connectivity

The Firewall Gateway Computers inside an organisation should only connect to computers outside (on public networks) via the firewall router The firewall acts a gateway, controlling: incoming traffic (who/what can visit this org.) e.g. allow access only via defined ports outgoing traffic (what people in the org. can visit) It must be simple, non-extensible, limited access, and physically secure 10

Demilitarised Zone (DMZ) Insecure network Router/filter firewall Demilitarised Zone Proxy/filter firewall Secure network 11 Domain Name server Public web server

Firewall Policies Typical policies include: Disallow all traffic from outside (e.g. IIOP requests) except that which is explicitly permitted (why?) Translate network addresses of internal machines, so their real addresses remain unknown Allow HTTP requests using Port 80 (or 8080) Note: although restrictive, this policy may still be vulnerable to tunnelling 12

13 Application Security

Identity Application security is based on the concept of identity: a known user of an application corresponding to a particular individual Enables: assignment of powers to individuals accountability for using those powers tracing/auditing of what actually happens - so identity should not be shared 14 Vulnerable to identity fraud: Now easier than breaking network security Most cases arise from non-system activities

Basic Types of Application Security Presentation Logic Who are you? Business Logic What are you allowed to do? Data Access Logic 15 Authentication - prove your identity? Authorization - what is identity allowed to do? Privacy - which identities can read this message? Message integrity - is message received what was sent? Non-repudiation - prove which identity sent this message? Code auditing - does this program do what it says?

Authentication Proof of identity is based on: production of an object, e.g. smart card knowledge of a secret, e.g. password, pin, X.509 certificate physical identifying marks, e.g. biometrics, DNA combinations of these, e.g. chip & pin Other measures may enhance security: e.g. application managed identity, password expiry, one-time passwords 16 Whatever credentials chosen, identity must be mapped to operating system identity

Authorisation Basic idea is that an identity may only perform those actions which it has been authorised to do e.g.: run program x access data file y usually enforced by the operating system 17 Middleware systems often impose further limitations, e.g. identity may: only perform transaction z (no knowledge of pgm) not install programs (unless administrator) have no direct access to data

Authorisation (II) To ensure that applications perform only authorised actions, it's common practice to: log security holes in software and manage fixes assign a responsible owner to each program inspect application program as they're developed certify the source of a program identity sensitive programs, e.g. those controlling money, and audit them log actual use of applications to enable later investigation 18

Authorisation (III) Sometimes we need authorisation controls which are more fine-grained than the middleware provides: e.g. user can only sign off expenditure > 5K if he/she is a second level manager These checks must be performed by application programs Use middleware facilities to handle error conditions 19

Data in Transit When sensitive data flows across an insecure network, we want to achieve: Privacy/confidentiality: message cannot be read by unauthorised identities Message integrity: message received is what was actually sent Non-repudiation: message can be traced to an authorised sender & cannot be denied 20 These types of security require the use of encryption

Cryptographic Techologies Two technologies in common use: 21 Secret key: single key shared by sender & receiver - used to encrypt and decrypt messages - algorithm is symmetric: work factor ~ 2**(n-1) - e.g. Data Encryption Stnd (DES 1971), 56 bit keys Public/private key: public key to encrypt, private key to decrypt - algorithm is asymmetric: work factor ~ 2**(0.3n) - e.g. Rivest/Shamir/Adelman (RSA 1977) with 512, 1024, 2048 bit keys (n = key length in bits)

Secret Key Encryption encrypted message clear text message Encryption Algorithm Insecure network Decryption Algorithm clear text message secret key 22

Public/Private Key Encryption encrypted message clear text message Encrypt Insecure network Decrypt clear text message receiver's public key receiver's private key 23

Message Integrity receiver's public key receiver's private key input message Encrypt input msg + digest Insecure network Decrypt, recompute digest and compare Compute message digest message digest Message digest algorithm produces fixed length "digital hash" Same algorithm used to validate message received 24

Non-Repudiation message digest Encrypt digest sender's private key Decrypt digest sender's public key input message Encrypt message Insecure network Decrypt msg, compute digest Compare digests receiver's public key receiver's private key 25 Message digest encrypted with sender's private key is known as digital signature

Making Encryption Usable To make encryption usable in everyday life we: Build it in to communication protocols, e.g. - Secure Sockets Layer (SSL) (1994) - HTTP over SSL (HTTPS): https://www.x.com/ - designed by Netscape for use in browsers Use it to support authentication Arrange secure methods for allocation and distribution of keys 26

Secure Sockets Layer SSL may be used in place of TCP/IP sockets Provides: Authentication of server using public/private key - requires server certificate 27 Secure message interchange using secret key Optional authentication of client using public/private key - requires client certificate Lightweight implementation for Java is provided by Java 2 SE Security

SSL Handshake Hello, I support RC4, DES, and none Hello, let's use RC4 Here's my certificate Here's the RC4 key to use (encrypted) Change cipher spec CLIENT check server certificate Confirm change cipher spec Session data encrypted using RC4 key SERVER decrypt session key and cache 28

Client Authenticated SSL Session Hello, I support RC4, DES, and none Hello, let's use RC4, here's my certificate Can I have your certificate please? Here's my client certificate CLIENT Here's the RC4 key to use (encrypted) Session data encrypted and authenticated SERVER check client certificate 29

Digital Certificates Owner's distinguished name, e.g. BBK.geoff CA's private key Owner's public key Encrypted message digest Certificate Authority's distinguished name 30 Makes owner's public key available to others Must be issued by a trusted Certificate Authority (CA)

Certificate Authorities Browsers are normally shipped with certificates identifying the major Certificate Authorities, e.g. Equifax, Verisign Server certificates are checked against these to see whether issued by one of them - if so, server can be trusted Client certificates must be purchased from one of them (or allocated by employer) 31

Certificate Authorities (II) Root certificate authority Certificate issuing authority 1 Certificate issuing authority 2 not trusted 32 sender receiver

Key Ring/Certificate Database Root CA's certificate 33 Subordinate CA's certificate Client certificate Browser/client has database which contains certificates needed Also needs utilities which enable database to be maintained Database must be password protected

Summary You should now be able to: 34 Show why security is important and differentiate network security from application security Describe commonly used network security measures provided by firewalls Introduce the various forms of application security which are relevant to transactional applications Explain how encryption is used to support security measures and how it is administered