Upload
maria-butler
View
212
Download
0
Embed Size (px)
Citation preview
1
Using Digital Certificates for Identification & AuthorizationRobert C. Seacord & Scott A. Hissam
February 26, 1998
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890
Sponsored by the U.S. Department of Defense© 1998 by Carnegie Mellon University
Carnegie Mellon University
Software Engineering Institute
2
Carnegie Mellon University
Software Engineering Institute
Agenda
Background
Server Configuration• Certificate Management Server (CMS)• Enterprise Server (ES)• Directory Server (DS)
Server-Side JavaScript Solution
Java Solution
Summary
3
Carnegie Mellon University
Software Engineering Institute
Issues
Confidentiality (encryption)• SSL connection
Client authentication• requires obtaining the identity of clients
through client certificatesEase of deployment• code is downloaded through the browser or
accessible through the CLASSPATHJava applications vs.. applets• may want to deploy as Java applications that
do not make use of a browser
4
Carnegie Mellon University
Software Engineering Institute
SEI Work
1. Use of certificates for Identification and Authorization (I&A).2. Use of Visigenics' SSL implementation with Netscape Certificates.3. Verification that additional CAs can be specified in Microsoft IE 4.0.4. Interoperability between Orbix and Visigenics.5. VisiBroker and Orbix to communicate using any SSL implementation.6. Evaluate GateKeeper and Wonderwall.7. Investigate passing Gigabyte size files overIIOP.
5
Carnegie Mellon University
Software Engineering Institute
I&A Model Problem
Pearl Harbor, HawaiiJEDMICS SiteInstallation #1
Huntsville, AlabamaJEDMICS SiteInstallation #2
JEDMICS Program Office
JEDMICS User #1(can get images from Pearl and Huntsville)
JEDMICS User #2(can get images
ONLY form Huntsville)
6
Carnegie Mellon University
Software Engineering Institute
Security Policies
Do users need to have an account (e.g., certificate) from each JEDMICS installation they would like to access?
Can all the users at a given site (e.g., Pearl Harbor) be provided some level of access to another site (e.g., Huntsville) based on the site certificate?• can these permissions be extended for some
user and not others?
Issues: Risk profile, policy scope, flexibility, scalability, operational overhead...
7
Carnegie Mellon University
Software Engineering Institute
Model Policy: Certificate Authority
JEDMICS Program OfficeRoot Certificate Authority
o=JEDMICSc=US
Pearl Harbor, HawaiiJEDMICS #1 Subordinate Certificate Authority
ou=Pearlo=JEDMICS
c=US
Huntsville, AlabamaJEDMICS #2 Subordinate Certificate Authority
ou=Huntsvilleo=JEDMICS
c=US
JEDMICS Program Office authorize (and revoke) certificates for JEDMICS sites
Sites authorize (and revoke) certificates for individual users
8
Carnegie Mellon University
Software Engineering Institute
COTS Servers Installed
3 Netscape Certificate Management Servers (CMS)• one for each Certificate Authority (CA) in the
hierarchy• JEDMICS authority, Pearl and Huntsville
subordinates
2 Netscape Enterprise Servers (ES)• one for each site (e.g., Pearl, Huntsville)
2 Netscape Directory Servers (DS)• one for each site (e.g., Pearl, Huntsville)
9
Carnegie Mellon University
Software Engineering Institute
Directory Server v.1.03
Acts as a global repository for a wide range of application data, including • user and group information• application preferences• Common Object Request Broker Architecture
(CORBA) object locations• public-key certificates
Supports the open Internet standard Lightweight Directory Access Protocol (LDAP v. 2, RFC 1777)
Directory Server can communicate using LDAP over Secure Sockets Layer (SSL)
10
Carnegie Mellon University
Software Engineering Institute
Hierarchical Naming
Supports X.500 hierarchical naming model.
Supports all classes and objects defined in X.520 (1988) and X.521 (1988).
Updates the X.521 organizational Person Protocol to include attributes such as Internet email address, public-key certificates, mobile phone number, pager number, and others. Allows administrators to extend the schema (data model) to keep track of new information.
11
Carnegie Mellon University
Software Engineering Institute
Sample DS Entries
ou=Huntsville, o=JEDMICS, c=US
dn: [email protected], CN=Hugh Downs, UID=hd, OU=Huntsville, O=JEDMICS, C=US
dn: [email protected], CN=Barbara Walters, UID=bw, OU=Huntsville, O=JEDMICS, C=US
Search Base,DN Comp,Suffix
Distinguished Names,Filter Comps (shares suffix)
12
Carnegie Mellon University
Software Engineering Institute
JEDMICS Server Configuration
Admin ServerEnterprise Server 3.0
Admin ServerDirectory Server 1.03
jd.sei.cmu.edu
Admin ServerEnterprise Server 3.0
Admin ServerDirectory Server 1.03
Admin ServerCMS Server 1.01
huntsvilleCA
gc.sei.cmu.edu
Port 8080
Admin ServerCMS Server 1.01
pearlCA
Port 1443
Port 1389/636
Port 8080
Port 1443
Port 1389/636
Visigenic 3.0 ORB Visigenic 3.0 ORBPort 14000 Port 14000
Pearl Harbor Huntsville
CMS Server 1.01jedmicsCA
Port 14430
BRIsec SMsec JedSec BRIsec SMsec JedSec
13
Carnegie Mellon University
Software Engineering Institute
CMS SetupJEDMICS Root CAcn=JEDMICS Root CA, o=JEDMICS, c=US
Subordinate CAscn=Pearl Sub CA, ou=Pearl, o=JEDMICS, c=UScn=Huntsville Sub CA, ou=Huntsville,
o=JEDMICS, c=US
Root CAs are chained to each subordinate CA using CMS menus
Root CA installed as trusted CA in each CMS
X.509 Distinguished Names
14
Carnegie Mellon University
Software Engineering Institute
Initial ES Setup
For each site’s ES• enable SSL using CA certificate from corresponding site• enable Server-Side JavaScript• install corresponding CA as trusted CA
The specific CA installed makes a difference• root CA certificate can decode both Pearl & Huntsville
client certificates• sub CA certificate can only decode certificates issued
from that Sub CA
Note: Sub CA certificate installed must come from Root CA’s CMS because of chaining
15
Carnegie Mellon University
Software Engineering Institute
Initial DS Setup
For each site’s Directory Server (DS)• enable admin user for corresponding ES• define search base for the siteou={site_name}, o=JEDMICS, c=US
• build directory entries for users, servers, and CAs using- manual (batch) approach- command line approach- programmatic approach- GUI (interactive) approach
• add DS to corresponding ES and CMS
16
Carnegie Mellon University
Software Engineering Institute
DS Update Approaches
Manual• backup database as LDAP Interchange Format
(.ldif) file• add entries for CMS certificates to .ldif file• create DS database from new .ldif file
Command line•LDAPadd, LDAPmod, LDAPdelete
Programmatic• Java classes (import netscape.LDAP.*;)
GUI• Directory Server Gateway Interface (DSWG)• HTML pages, CGI-BINs accessed from ES
17
Carnegie Mellon University
Software Engineering Institute
Final DS & ES Setup
Directory Server• update with User, Server and CA Certificates
- privileged operation from CMS interface• correct any errors in LDAP database for those
certificates that could not be updated
Enterprise Server• create certificate mapping from CA certificate
to LDAP search criteria (certmap.conf)• create Access Control List (ACL) for URIsuri=/jedsec
18
Carnegie Mellon University
Software Engineering Institute
Administration Operation
User submits certificate request to CA(e.g. Huntsville CA)
Issuing Agent receives CSR via CMS
Issuing agent creates an new person entry in LDAP directory server
Issuing agent reviews CSR and issues certificate
CMS will update LDAP directory server with issued certificate
User receives issued certificate
User can now use system
19
Carnegie Mellon University
Software Engineering Institute
Certificates Issued
JEDMICS Root CA
Pearl Sub CA
Soft W. Developer
Huntsville Sub CA
Barbara Walters2
Peter Jennings1
Hugh Downs1
Huntsville Sub CA Issuing Agent
Pearl Sub CA Issuing AgentDave Kyle1
JEDMICS Root CA Issuing Agent1 Authorized to logon to local site2 Certificate is now revoked
John Stossel1
20
Carnegie Mellon University
Software Engineering Institute
Model Policy: Identification & Authorization
To Logon• certificate must be issued from site• X.509 DN fields must be found in LDAP server, in
this case:cn=, uid=, email=, ou=, o= and c=
• certificate must match that found in LDAP server• certificate cannot be expired• certificate cannot be revoked• other criteria possible
21
Carnegie Mellon University
Software Engineering Institute
SSJS Solution
Certificate manipulation managed between Browser and HTTP server
HTTP server manages client authentication• interrogates browser for client certificate• validates client certificate• looks up client certificate in LDAP server
22
Carnegie Mellon University
Software Engineering Institute
SSJS Solution: Install/Setup
Enterprise Server configuration• authorized users issued certificates from site• holders of certificates permitted access• certificates not issued from site cannot be
decrypted
23
Carnegie Mellon University
Software Engineering Institute
SSJS Solution Overview
JedSec:: UserFactory.createUser User.authorized User.logImageRetrieval
BRIsec:: getImageList
SMsec:: getImage
Netscape Navigator 4.04
JedmicsApplet
https://gc:8080/jedsec
jedsec (javascript/livewire) jedsec/start.html jedsec/index.html
secure comms
clear comms
3
• 3 create user object
4
• 4 construct web page with applet
5
• 5 reconstitute stringified object
6
• 6 request image search
• 7 request actual image
7
8
• 8 audit user retrieval
LDAP://gc:1389
TCB
1
• 1 first contact
2
• 2 directory lookup
24
Carnegie Mellon University
Software Engineering Institute
1. First Contact
User information extracted from certificate• user id• email address• full name• organizational unit• public key
25
Carnegie Mellon University
Software Engineering Institute
2. Directory lookup
Netscape Navigator 4.04
https://gc:8080/jedsec
secure comms
clear comms
LDAP://gc:1389
TCB
1
2
26
Carnegie Mellon University
Software Engineering Institute
2. Directory Lookup
Enterprise server uses certificate information to find entry in associated directory server•certmap.conf defines mapping of certificate
information to LDAP search fields (and order)- mapping based on certificate authority
• certificate pulled from LDAP server is compared with presented certificate
• successful search and match authorizes access
certmap pearlCA CN=Pearl Sub CA, OU=Pearl, O=JEDMICS, C=USpearlCA:DNComps ou,o,cpearlCA:FilterComps mail, uid, cn, oupearlCA:verifycert on
27
Carnegie Mellon University
Software Engineering Institute
3. Create User Object
JedSec:: UserFactory.createUser User.authorized User.logImageRetrieval
Netscape Navigator 4.04
https://gc:8080/jedsec
jedsec (javascript/livewire) jedsec/start.html jedsec/index.html
secure comms
clear comms
3LDAP://gc:1389
TCB
1
2
28
Carnegie Mellon University
Software Engineering Institute
3. Create User Object
JavaScript and Livewire used to obtain information gathered by ES for our application• used to create a user object from the JedSec::UserFactory
Start.html:::
<server>// initialize the orbproject.orb = Packages.org.omg.CORBA.ORB.init();
// establish connection to the "UserFactory" serviceproject.jedSecUserFactory = Packages.JedSec.UserFactoryHelper.bind(project.orb, "UserFactory");</server>
:
Start.html:::
<server>// initialize the orbproject.orb = Packages.org.omg.CORBA.ORB.init();
// establish connection to the "UserFactory" serviceproject.jedSecUserFactory = Packages.JedSec.UserFactoryHelper.bind(project.orb, "UserFactory");</server>
:
Launched at Server Startup
index.html:::
<server>cert = ssjs_getCGIVariable("CLIENT_CERT");__userObj = project.jedSecUserFactory.createUser(request.auth_user, cert, request.ip);
</server>:
index.html:::
<server>cert = ssjs_getCGIVariable("CLIENT_CERT");__userObj = project.jedSecUserFactory.createUser(request.auth_user, cert, request.ip);
</server>:
Launched upon each client session
29
Carnegie Mellon University
Software Engineering Institute
Note On Using JavaScript
User object must be assigned to either a local attribute or an attribute of the project object• cannot invoke a method on a object proxy
assigned to a client attribute
Possible explanation: the runtime engine constructs and destroys the client object for each request
30
Carnegie Mellon University
Software Engineering Institute
4. Construct Web Page with Applet
JedSec:: UserFactory.createUser User.authorized User.logImageRetrieval
Netscape Navigator 4.04
JedmicsApplet
https://gc:8080/jedsec
jedsec (javascript/livewire) jedsec/start.html jedsec/index.html
secure comms
clear comms
3
4
LDAP://gc:1389
TCB
1
2
31
Carnegie Mellon University
Software Engineering Institute
4. Construct Web Page with AppletConstruction of page can be made conditional• example uses second tier of authorization
Index.html:::
__strUserObj = project.orb.object_to_string(__userObj);__authorizedUser = __userObj.authorized();if (__authorizedUser) { write(”<applet\n code=JedmicsApplet.class codebase=\"jedmicsAppletDemo5\"\n"); write("archive=\"jedsec.zip\" width=600 height=200>\n"); write("<param name=USE_ORB_LOCATOR value=>\n"); write("<param name=org.omg.CORBA.ORBClass value=com.visigenic.vbroker.orb.ORB>\n"); write(”>\n<param name=strUserObject value="); write(__strUserObj); write(">\n</applet>\n");}else { write("unauthorized client access\n");}__userObj.logEvent(request.auth_user, “Accessed /jedsec”);
:
Index.html:::
__strUserObj = project.orb.object_to_string(__userObj);__authorizedUser = __userObj.authorized();if (__authorizedUser) { write(”<applet\n code=JedmicsApplet.class codebase=\"jedmicsAppletDemo5\"\n"); write("archive=\"jedsec.zip\" width=600 height=200>\n"); write("<param name=USE_ORB_LOCATOR value=>\n"); write("<param name=org.omg.CORBA.ORBClass value=com.visigenic.vbroker.orb.ORB>\n"); write(”>\n<param name=strUserObject value="); write(__strUserObj); write(">\n</applet>\n");}else { write("unauthorized client access\n");}__userObj.logEvent(request.auth_user, “Accessed /jedsec”);
:
userObject passed to applet in stringified form
32
Carnegie Mellon University
Software Engineering Institute
5. Reconstitute the User Object
JedSec:: UserFactory.createUser User.authorized User.logImageRetrieval
Netscape Navigator 4.04
JedmicsApplet
https://gc:8080/jedsec
jedsec (javascript/livewire) jedsec/start.html jedsec/index.html
secure comms
clear comms
3
4
5
LDAP://gc:1389
TCB
1
2
33
Carnegie Mellon University
Software Engineering Institute
5. Reconstitute the User ObjectStringified user object is converted back into a user object reference• passed as a parameter to application services
(e.g., BRIsec)
JedmicsApplet.java::public class JedmicsApplet extends Applet { public static JedSec.User userRef = null;
: public void init () { String stringifiedUserObject = getParameter("strUserObject");
: // Locate the User Object authorizing this client org.omg.CORBA.Object object = orb.string_to_object(stringifiedUserObject); userRef = JedSec.UserHelper.narrow(object);
:}
JedmicsApplet.java::public class JedmicsApplet extends Applet { public static JedSec.User userRef = null;
: public void init () { String stringifiedUserObject = getParameter("strUserObject");
: // Locate the User Object authorizing this client org.omg.CORBA.Object object = orb.string_to_object(stringifiedUserObject); userRef = JedSec.UserHelper.narrow(object);
:}
34
Carnegie Mellon University
Software Engineering Institute
6. Request Image Search
JedSec:: UserFactory.createUser User.authorized User.logImageRetrieval
BRIsec:: getImageList
Netscape Navigator 4.04
JedmicsApplet
https://gc:8080/jedsec
jedsec (javascript/livewire) jedsec/start.html jedsec/index.html
secure comms
clear comms
3
45
6
LDAP://gc:1389
TCB
1
2
35
Carnegie Mellon University
Software Engineering Institute
6. Request Image Search
BRIsec is used to locate images matching search criteria• unchanged from previous model problems
JedmicsEvents.java::
// call getImageList operation try { images = JedmicsApplet.briRef.getImageList(partNo); } catch (BRIsecPackage.NotFound e) { displayMsg ("Matching part not found.\nTry a less restrictive pattern."); return; }
: for (i=0; i < images.length; i++) { // Build list (allowing one selection at a time) imageList.addItem(images[i]); System.out.println("adding " + images[i]); }
JedmicsEvents.java::
// call getImageList operation try { images = JedmicsApplet.briRef.getImageList(partNo); } catch (BRIsecPackage.NotFound e) { displayMsg ("Matching part not found.\nTry a less restrictive pattern."); return; }
: for (i=0; i < images.length; i++) { // Build list (allowing one selection at a time) imageList.addItem(images[i]); System.out.println("adding " + images[i]); }
36
Carnegie Mellon University
Software Engineering Institute
7. Request Actual Image
JedSec:: UserFactory.createUser User.authorized User.logImageRetrieval
BRIsec:: getImageList
SMsec:: getImage
Netscape Navigator 4.04
JedmicsApplet
https://gc:8080/jedsec
jedsec (javascript/livewire) jedsec/start.html jedsec/index.html
secure comms
clear comms
3
45
6
7LDAP://gc:1389
TCB
1
2
37
Carnegie Mellon University
Software Engineering Institute
7. Request Actual Image Image is retrieved directly from SM• user object reference is passed as additional parameter
JedmicsEvents.java::public void getSMImage(String imageName) {
: byte[] imageData; : // check that proxy exists if (JedmicsApplet.smRef == null) { displayMsg ("Get image failed - not connected to SM server."); return; }
: // call getImage operation imageData = JedmicsApplet.smRef.getImage(JedmicsApplet.userRef, imageName);
:}
JedmicsEvents.java::public void getSMImage(String imageName) {
: byte[] imageData; : // check that proxy exists if (JedmicsApplet.smRef == null) { displayMsg ("Get image failed - not connected to SM server."); return; }
: // call getImage operation imageData = JedmicsApplet.smRef.getImage(JedmicsApplet.userRef, imageName);
:}
38
Carnegie Mellon University
Software Engineering Institute
8. Audit User Retrieval
JedSec:: UserFactory.createUser User.authorized User.logImageRetrieval
BRIsec:: getImageList
SMsec:: getImage
Netscape Navigator 4.04
JedmicsApplet
https://gc:8080/jedsec
jedsec (javascript/livewire) jedsec/start.html jedsec/index.html
secure comms
clear comms
3
45
6
7
8
LDAP://gc:1389
TCB
1
2
39
Carnegie Mellon University
Software Engineering Institute
8. Audit User Retrieval
User object used to log image retrieval• generates C2 audit trail
SMsec_srvr.C::SMsec::image* SMsecImpl:: getImage (JedSec::User_ptr userRef, const char * imageName) { if (!(stat(imageName, &buf))) { perror("serverSMsec: fstat failed"); } imageData = new image; imageData->length(buf.st_size); if ((fp = open (imageName, O_RDONLY)) < 0) { perror("serverSMsec: open"); } int bc = read(fp, &imageData[0], buf.st_size); close (fp); userRef -> logImageRetrieval(tempname); return (imageData);}
SMsec_srvr.C::SMsec::image* SMsecImpl:: getImage (JedSec::User_ptr userRef, const char * imageName) { if (!(stat(imageName, &buf))) { perror("serverSMsec: fstat failed"); } imageData = new image; imageData->length(buf.st_size); if ((fp = open (imageName, O_RDONLY)) < 0) { perror("serverSMsec: open"); } int bc = read(fp, &imageData[0], buf.st_size); close (fp); userRef -> logImageRetrieval(tempname); return (imageData);}
40
Carnegie Mellon University
Software Engineering Institute
Deployment RecommendationsPre-install Visigenic Orb Classes • placing vbj30.jar in Navigator’s CLASSPATH
saves downloading of 2.4Mb jar file
Zigbert/Zip the specific application only• archive attribute of the <APPLET> tag• digitally sign the archive
Makefile::jedsec.zip: $(CLASSES) @echo Building $@ -rm -rf jarDir -mkdir jarDir tar cf - `find . -name "*.class" -print` | (cd jarDir; tar xvf -) zigbert -d.. -k"Soft W. Developer's JEDMICS ID" -p”password" jarDir (cd jarDir; zip -r ../$@ *) rm -rf jarDir
Makefile::jedsec.zip: $(CLASSES) @echo Building $@ -rm -rf jarDir -mkdir jarDir tar cf - `find . -name "*.class" -print` | (cd jarDir; tar xvf -) zigbert -d.. -k"Soft W. Developer's JEDMICS ID" -p”password" jarDir (cd jarDir; zip -r ../$@ *) rm -rf jarDir
41
Carnegie Mellon University
Software Engineering Institute
Advantages - SSJS Solution
No additional client configuration necessary• SSL libraries still need to be installed• the vbj30.jar file may be installed to improve
performance
Certificate manipulation for client authentication managed between Browser and HTTP server• no coding required
42
Carnegie Mellon University
Software Engineering Institute
Disadvantages - SSJS Solution
Can only be used for applets and not Java applications
Difficult to export user credentials from HTTP server to JEDMICS system• connection between HTTP Server and applet
goes through kludge Server-Side JavaScript interface
43
Carnegie Mellon University
Software Engineering Institute
“100% Pure” Java Solution
Can be used for Java application or Java applet• does not require use of web browser, HTTP
server or SSJS• still uses CMS & DS
Code for certificate manipulation and authentication must be developed• Java 1.2 supplies Certificate API for certificate
management • Netscape LDAP Java SDK used for searching
the LDAP directory • encryption/decryption performed using
patented algorithms from RSA (JSAFE)
44
Carnegie Mellon University
Software Engineering Institute
COTS Servers Installed/Setup
3 Netscape Certificate Management Servers (CMS)• one for each Certificate Authority (CA) in the
hierarchy• JEDMICS authority, Pearl and Huntsville
subordinates
2 Netscape Directory Servers (DS)• one for each site (e.g., Pearl, Huntsville)
Setup the same except for Enterprise Server steps
45
Carnegie Mellon University
Software Engineering Institute
“100% Java” Model Policy: I&A
1. Client encrypts uid using private key2. Client presents encrypted uid with certificate3. Server looks up certificate in LDAP4. Server confirms that • certificate has been issued from site• X.509 DN fields must be found in LDAP servercn=, uid=, email=, ou=, o= and c=
• certificate presented matches certificate found in LDAP server
• certificate has not expired or been revoked5. Server uses public key to decrypt uid6. Server confirms that decrypted uid is the same as the uid in the LDAP directory entry
46
Carnegie Mellon University
Software Engineering Institute
Client Installation
1. Export certificate from Netscape in PKCS-12 format
2. Convert from PKCS-12 to PEM format pfx -print_certs -in hd.p12
3. Cut and paste first certificate into hd.pem
4. Convert from PEM format into DER format ssleay x509 -in hd.pem -inform PEM
-out hd.der -outform DER
47
Carnegie Mellon University
Software Engineering Institute
100% Pure Java Solution Overview
JedSec::
BRIsec:: getImageList
SMsec:: getImage
JEDMICS Client (Java 1.2)
3
• 3 LDAP lookup
4
• 4 Request image search
5
• 5 Request actual image
6
• 6 Audit user retrieval
TCB
1
• 1 Create user object
2
• 2 Authorize user
LDAP://gc:1389
UserFactory.createUser
User.authorized
User.logImageRetrieval
48
Carnegie Mellon University
Software Engineering Institute
1. Create User Object (Client)
FileInputStream f = null;byte[] myCert = null;String UserID = "hd";
factoryRef = JedSec.UserFactoryHelper.bind(orb, "UserFactory");f = new FileInputStream (UserID + ".der");myCert = new byte[f.available()];f.read (myCert); userRef = factoryRef.createDERUser( UserID, myCert, java.net.InetAddress.getLocalHost().getHostAddress()); if (userRef.authorized()) { System.out.println (”Welcome");} else { System.out.println (”Unauthorized Access!"); System.exit(0);}
FileInputStream f = null;byte[] myCert = null;String UserID = "hd";
factoryRef = JedSec.UserFactoryHelper.bind(orb, "UserFactory");f = new FileInputStream (UserID + ".der");myCert = new byte[f.available()];f.read (myCert); userRef = factoryRef.createDERUser( UserID, myCert, java.net.InetAddress.getLocalHost().getHostAddress()); if (userRef.authorized()) { System.out.println (”Welcome");} else { System.out.println (”Unauthorized Access!"); System.exit(0);}
49
Carnegie Mellon University
Software Engineering Institute
1. Create User Object (Server)
// ctorpublic UserImpl(String uid, byte[] cert, String ip) { _uid = uid; _cert = null; _DERcert = cert; _ip = ip; _myLDAPHost = "gc.sei.cmu.edu"; _myLDAPPort = 1389; _myLDAPBase = "ou=Huntsville,o=JEDMICS,c=US";
_myX509cert = X509Certificate.getInstance(_DERcert);}
// ctorpublic UserImpl(String uid, byte[] cert, String ip) { _uid = uid; _cert = null; _DERcert = cert; _ip = ip; _myLDAPHost = "gc.sei.cmu.edu"; _myLDAPPort = 1389; _myLDAPBase = "ou=Huntsville,o=JEDMICS,c=US";
_myX509cert = X509Certificate.getInstance(_DERcert);}
UID and other information should be extracted from certificate
50
Carnegie Mellon University
Software Engineering Institute
2. User Authorization
JedSec::
JEDMICS Client (Java 1.2)
TCB
1
2
UserFactory.createUser
User.authorized
51
Carnegie Mellon University
Software Engineering Institute
2. User Authorization
// if we did not find a certificate, don't let them in if (theCert == null) { returnCode = false; } else { Date startDate = theCert.getNotBefore(); Date endDate = theCert.getNotAfter(); Date rightNow = new Date(); if (rightNow.before(startDate)) { returnCode = false; } if (rightNow.after(endDate)) { returnCode = false; } }
// if we did not find a certificate, don't let them in if (theCert == null) { returnCode = false; } else { Date startDate = theCert.getNotBefore(); Date endDate = theCert.getNotAfter(); Date rightNow = new Date(); if (rightNow.before(startDate)) { returnCode = false; } if (rightNow.after(endDate)) { returnCode = false; } }
Enforce authorization policy• below, authorized operation verifies the
certificate has not expired (or is post-dated)
52
Carnegie Mellon University
Software Engineering Institute
3. LDAP Lookup
JedSec::
JEDMICS Client (Java 1.2)
3
TCB
1
2
LDAP://gc:1389
UserFactory.createUser
User.authorized
User.logImageRetrieval
53
Carnegie Mellon University
Software Engineering Institute
3. LDAP Lookup
if (attrName.indexOf(”usercertificate;binary") >= 0) { Enumeration enumVals = anAttr.getByteValues(); while ( enumVals.hasMoreElements() ) { byte[] aVal = ( byte[] ) enumVals.nextElement(); // Get certificate attribute and compare with // certificate presented by user X509Certificate theCert = null; theCert = X509Certificate.getInstance(aVal); if (_myX509cert != null) { if (! _myX509cert.equals(theCert) ) { returnCode = false; } // end if certificate does not match } // end if certificate retrieved from LDAP } // end while} // end if user certificate
if (attrName.indexOf(”usercertificate;binary") >= 0) { Enumeration enumVals = anAttr.getByteValues(); while ( enumVals.hasMoreElements() ) { byte[] aVal = ( byte[] ) enumVals.nextElement(); // Get certificate attribute and compare with // certificate presented by user X509Certificate theCert = null; theCert = X509Certificate.getInstance(aVal); if (_myX509cert != null) { if (! _myX509cert.equals(theCert) ) { returnCode = false; } // end if certificate does not match } // end if certificate retrieved from LDAP } // end while} // end if user certificate
Authorization function looks up certificate in LDAP directory for comparison with presented certificate
54
Carnegie Mellon University
Software Engineering Institute
Remaining Steps
JedSec::
BRIsec:: getImageList
SMsec:: getImage
JEDMICS Client (Java 1.2)
3
4
• 4 Request image search
5
• 5 Request actual image
6
• 6 Audit user retrieval
TCB
1
2
LDAP://gc:1389
UserFactory.createUser
User.authorized
User.logImageRetrieval
55
Carnegie Mellon University
Software Engineering Institute
Advantages - Java Solution
Can be used with Java applets and applications.
Authentication policy can be specified.
56
Carnegie Mellon University
Software Engineering Institute
Disadvantages - Java Solution
It is not possible to obtain the client identity (certificate) through the browser, since a standard API does not exist. • certificates are either hard coded or read from
the file system
Authentication policy must be developed.
57
Carnegie Mellon University
Software Engineering Institute
Summary
Identification and authorization using client certificates is feasible
Server-Side JavaScript solution fully implemented
“100% Pure” Java solution largely implemented• requires encryption using JSAFE libraries
58
Carnegie Mellon University
Software Engineering Institute
Future Work
Complete “100% Pure” Java solution.Incorporate JSAFE for image encryption and authentication.Use of Visigenics' SSL implementation with Netscape Certificates.Interoperability between Orbix and Visigenics.VisiBroker and Orbix to communicate using any SSL implementation.Evaluate GateKeeper and Wonderwall.Investigate passing Gigabyte size files overIIOP.
59
Carnegie Mellon University
Software Engineering Institute
SSL Disadvantages
Requires native library to be installed on each client machine. • must be ported to all client platforms • requires a separate installer.
It is not possible to obtain the client identity (certificate) through the browser, since a standard API does not exist. Thus, certificates are either hard code in the implementation, or they are read dynamically from the file system. Navigating through a client-side firewall is not possible since connections are not routed through a client-side proxy as they are in a browser.
60
Carnegie Mellon University
Software Engineering Institute
Java 1.2 Certificate API
The Certificate API java.security.cert includes the following: • the Certificate class is an abstract class for
managing a variety of certificates• the X509Certificate class provides a
standard way to access all the attributes of an X.509 certificate
• the X509Extension interface is an interface for an X.509
• the X509CRL class is an abstract class for an X.509 Certificate Revocation List (CRL
• the RevokedCertificate class is an abstract class for a revoked certificate in a CRL