1. CS 603 CORBA Security April 3, 2002

2. Security Service: Overview Goals –Confidentiality –Integrity –Accountability –Availability Where –IDL for security classes –Internal ORB checks –IIOP extensions for inter-ORB security

3. Key (visible) Features Authentication –Is principal (user or object) who they claim to be? Authorization –Does a principal has the right to perform an operation? Auditing –Who is the source user (human) for an action? Communication –Ensure messages not corrupted and (optionally) not intercepted Non-repudiation –Irrefutable evidence that an action has been performed Administration –How do we define the policy?

4. Specific Goals Simple Consistent Scalable Usable for end users Usable for administrators Usable for implementers Flexible –access control –Audit –functionality profiles Technology neutral Application portability Interoperability –different vendors –secure to non-secure –different domains –different technology Performance Object-Oriented Conform to regulations Conform to standard evaluation criteria

5. Security Packages Main Packages (at least one required) –Level 1: Applications unaware of security –Level 2: Application control of policy Optional packages –Non-repudiation Replaceable packages –ORB services: Intercepter interfaces (security external to ORB), or –Security Service: Standard ORB interface Common Secure Interoperability –Level 0: Identity based policies without delegation –Level 1: Identity with unrestricted delegation –Level 2: Identity and privilege policies, controlled delegation SECIOP Interoperability package Security Mechanism Packages –SPKM protocol – CSI level 0 (basic public key) –GSS Kerberos – CSI level 1 –CSI-ECMA – CSI level 2 (SESAME) –SSL – CSI level 0 SECIOP + DCE-CIOP interoperability

6. So how does it work? Credentials –Client obtains credentials giving principal’s security attributes Identity Privilege: Groups, Roles, Capabilities, Clearances Also Public (unauthenticated) credentials –Credentials can selectively be attached to object reference Delegation –None – reference uses it’s own credentials –Simple – reference runs as principal –Combined – reference gets merge of self and principal –Composite – reference gets two sets of credentials (can trace) –Time restrictions on delegation

7. Responsibilities Enterprise manager –Type of access control policy –Level of auditing –Level of protection End user Application Developer Administrator –Domain administration, user creation, etc. Object system implementer –Install ORBs/services

8. Authentication

9. Invocation

10. Security-Unaware Object

11. Interfaces Level 1: –Current:get_attributes – get credentials of invoking principal Level 2: –PrincipalAuthenticator Credentials Authenticate() _authentication() – for multi-step authentication –Credentials Set_security_features(), Get_security_features() –Delegation allowed? Secure communication? Set_privileges() – Set group, role, clearance –Also identity: AuditId, AccountingId, NonRepudiationID Get_attributes() – given types, get values Is_valid() – Is the credential timed-out? Refresh() – renew timed-out credential

12. Interfaces (Level 2, continued) SecurityLevel2::Object (CORBA::Object) –Override_default_credentials() –Override_default_QOP() – communication –Get_security_features() –Get_active_credentials() Current – security aspects of a given call –Get_attributes() (Security level 1) –Get_credentials() –Set_credentials() –Received_credentials –Received_security_features

13. Interfaces (Level 2, continued) AuditChannel –Audit_write() – write to log AuditDecision –Audit_needed() –Audit_channel AccessDecision –Access_allowed()

14. Security Domains Policy – common security policy –Hierarchichal –Federated –Domains for different policies may overlap Environment – area with local enforcement Technology – same mechanisms

15. Non-Repudiation