Enterprise Level SECURITY - IT Today · Enterprise Level SECURITY SECURING INFORMATION SYSTEMS IN AN UNCERTAIN WORLD Dr. William R. Simpson Award-winning cybersecurity architect for

Enterprise Level

SECURITYSECURING INFORMATION SYSTEMS

IN AN UNCERTAIN WORLD

Dr. William R. SimpsonAward-winning cybersecurity architect for

high assurance information technology systems

Institute for Defense Analyses, Alexandria, Virginia, USA

Enterprise Level Security: Securing Information Systems in an Uncertain World https://www.crcpress.com/9781498764452

for IT Business Edge

Cover design by Rebecca Simpson Steele.

Cover art: Padlock dissolving, copyright John Lund; 6/11/2012 by license.

CRC PressTaylor & Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742

© 2016 by Taylor & Francis Group, LLCCRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paperVersion Date: 20160217

International Standard Book Number-13: 978-1-4987-6445-2 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe.

Library of Congress Cataloging‑in‑Publication Data

Names: Simpson, William Randolph, 1946- author.Title: Enterprise level security : securing information systems in an uncertain world /

author, William R. Simpson.Description: Boca Raton : Taylor & Francis, 2016. | Includes bibliographical references

and index.Identifiers: LCCN 2015041818 | ISBN 9781498764452 (alk. paper)Subjects: LCSH: Computer networks--Security measures. | Industries--Security

measures.Classification: LCC TK5105.59 .S563 2016 | DDC 005.8--dc23LC record available at http://lccn.loc.gov/2015041818

Visit the Taylor & Francis Web site athttp://www.taylorandfrancis.com

and the CRC Press Web site athttp://www.crcpress.com



vii

Contents

List of Figures ...................................................................................................xixList of Tables ..................................................................................................xxiiiForeword .......................................................................................................... xxvPreface ...........................................................................................................xxviiAcknowledgments .......................................................................................... xxixAuthor .............................................................................................................xxxi

1 Introduction ...........................................................................................11.1 Problem Description ..........................................................................1

1.1.1 Success beyond Anticipation ................................................11.1.2 But, It Started Long before That … .....................................1

1.1.2.1 A Brief History of the Development of the WWW ...................................................... 1

1.1.3 Fast-Forward to Today .........................................................21.2 What Is Enterprise Level Security? ....................................................41.3 Distributed versus Centralized Security .............................................4

1.3.1 Case Study: Boat Design ......................................................41.3.2 Case Study Enterprise Information Technology

Environment ........................................................................51.3.3 Security Aspects ...................................................................5

1.3.3.1 Confidentiality ......................................................61.3.3.2 Integrity ................................................................61.3.3.3 Availability ............................................................61.3.3.4 Authenticity ..........................................................61.3.3.5 Nonrepudiation .....................................................6

1.4 Crafting a Security Model .................................................................61.4.1 The Assumptions ..................................................................71.4.2 Tenets: Digging beneath the Security Aspects ......................7

1.5 Entities and Claims .........................................................................111.5.1 Credentialing .....................................................................11

1.6 Robust Assured Information Sharing ..............................................121.6.1 Security Requirements .......................................................121.6.2 Security Mechanisms .........................................................12



viii ◾ Contents

1.6.3 Goals and Assumptions of IA Architecture ........................131.6.4 Assumptions .......................................................................151.6.5 A Framework for Entities in Distributed Systems ...............17

1.7 Key Concepts ..................................................................................191.7.1 ELS-Specific Concepts .......................................................201.7.2 Mapping between Tenets and Key Concepts ......................201.7.3 Enterprise-Level Derived Requirements .............................201.7.4 Mapping between Key Concepts and Derived

Requirements .....................................................................221.8 Two Steps Forward and One Step Back ...........................................231.9 The Approximate Time-Based Crafting ...........................................231.10 Summary .........................................................................................28

SeCtion i BASiCS AnD PHiLoSoPHY

2 Identity .................................................................................................312.1 Who Are You? .................................................................................312.2 Naming ...........................................................................................322.3 Identity and Naming: Case Study ...................................................332.4 Implications for Information Security ............................................ 342.5 Personas ...........................................................................................352.6 Identity Summary ...........................................................................35

3 Attributes ..............................................................................................373.1 Facts and Descriptors ......................................................................373.2 An Attribute Ecosystem ...................................................................383.3 Data Sanitization ............................................................................ 40

3.3.1 Guarded and Filtered Inputs ............................................. 403.3.2 Guard Administrator Web Interface ...................................413.3.3 Integrity in Attribute Stores ...............................................413.3.4 Secure Data Acquisition .....................................................413.3.5 Integrity at the Source ........................................................41

3.4 Temporal Data ............................................................................... 423.5 Credential Data .............................................................................. 423.6 Distributed Stores ........................................................................... 44

4 Access and Privilege .............................................................................454.1 Access Control .................................................................................454.2 Authorization and Access in General .............................................. 464.3 Access Control List ..........................................................................48

4.3.1 Group Requirements ..........................................................484.3.2 Role Requirements .............................................................484.3.3 ACRs and ACLs .................................................................48



Contents ◾ ix

4.3.4 Discretionary Access Control and Mandatory Access Control .................................................49

4.4 Complex Access Control Schemas ...................................................514.5 Privilege ...........................................................................................524.6 Concept of Least Privilege ...............................................................52

4.6.1 Least Privilege Case Study ..................................................53

5 Cryptography .......................................................................................555.1 Introduction ....................................................................................555.2 Cryptographic Keys and Key Management .....................................56

5.2.1 Asymmetric Key Pairs ........................................................565.2.1.1 RSA Key Generation ...........................................56

5.3 Symmetric Keys ...............................................................................575.3.1 TLS Mutual Authentication Key Production .....................575.3.2 Other Key Production ........................................................59

5.4 Store Keys ........................................................................................595.5 Delete Keys .....................................................................................605.6 Encryption ......................................................................................605.7 Symmetric versus Asymmetric Encryption Algorithms ...................60

5.7.1 Asymmetric Encryption .....................................................605.7.2 RSA Asymmetric Encryption .............................................615.7.3 Combination of Symmetric and Asymmetric Encryption ....615.7.4 Symmetric Encryption .......................................................61

5.7.4.1 Stream Ciphers ....................................................615.7.4.2 Block Ciphers ......................................................62

5.7.5 AES/Rijndael Encryption ...................................................625.7.5.1 Description of the AES Cipher ............................62

5.7.6 Data Encryption Standard .................................................625.7.6.1 Triple DES ..........................................................635.7.6.2 Description of the Triple DES Cipher .................63

5.8 Decryption ......................................................................................635.8.1 Asymmetric Decryption .................................................... 645.8.2 Symmetric Decryption ...................................................... 64

5.9 Hash Function ................................................................................ 645.9.1 Hash Function Algorithms .................................................655.9.2 Hashing with Cryptographic Hash Function .....................65

5.9.2.1 MD-5 ..................................................................655.9.2.2 SHA-3-Defined SHA-512 .................................. 66

5.10 Signatures ....................................................................................... 665.10.1 XML Signature ..................................................................675.10.2 S/MIME Signature ............................................................675.10.3 E-Content Signature ..........................................................67



x ◾ Contents

5.11 A Note on Cryptographic Key Lengths ...........................................685.11.1 Encryption Key Discovery .................................................685.11.2 The High-Performance Dilemma .......................................695.11.3 Parallel Decomposition of Key Discovery ..........................70

5.12 Internet Protocol Security ................................................................705.13 Other Cryptographic Services .........................................................725.14 The Java Cryptography Extension ....................................................725.15 Data at Rest .....................................................................................725.16 Data in Motion ...............................................................................73

6 The Cloud .............................................................................................756.1 The Promise of Cloud Computing ...................................................756.2 Benefits of the Cloud .......................................................................766.3 Drawbacks of Cloud Usage ............................................................. 77

6.3.1 Differences from Traditional Data Centers ....................... 776.3.2 Some Changes in the Threat Scenario ................................78

6.4 Challenges for the Cloud and High Assurance ................................786.5 Cloud Accountability, Monitoring, and Forensics ...........................82

6.5.1 Accountability ....................................................................826.5.2 Monitoring .........................................................................836.5.3 Knowledge Repository .......................................................836.5.4 Forensic Tools ................................................................... 84

6.6 Standard Requirements for Cloud Forensics ................................... 84

7 The Network .........................................................................................877.1 The Network Entities.......................................................................87

7.1.1 Most Passive Elements ........................................................887.1.2 Issues of the Most Passive Devices ..................................... 907.1.3 The Convenience Functions .............................................. 907.1.4 Issues for the Convenience Functions .................................917.1.5 Content Analyzers ..............................................................917.1.6 Issues for Content Analyzers ..............................................92

SeCtion ii teCHniCAL DetAiLS

8 Claims-Based Authentication ...............................................................958.1 Authentication and Identity .............................................................958.2 Credentials in the Enterprise ...........................................................968.3 Authentication in the Enterprise ......................................................96

8.3.1 Certificate Credentials ........................................................978.3.2 Registration ........................................................................978.3.3 Authentication ...................................................................98



Contents ◾ xi

8.4 Infrastructure Security Component Interactions .............................998.4.1 Interactions Triggered by a User Request for Service ........1018.4.2 Interaction Triggered by a Service Request .......................101

8.5 Compliance Testing .......................................................................1018.6 Federated Authentication ...............................................................102

8.6.1 Naming and Identity ........................................................1038.6.2 Translation of Claims or Identities ...................................1038.6.3 Data Requirements...........................................................1038.6.4 Other Issues .....................................................................104

9 Credentials for Access Claims ............................................................1059.1 Security Assertion Markup Language ............................................1059.2 Access Control Implemented in the Web Service ...........................1069.3 Establishing Least Privilege ...........................................................1089.4 Default Values ...............................................................................1089.5 Creating an SAML Token .............................................................1089.6 Scaling of the STS for High Assurance Architectures .................... 1109.7 Rules for Maintaining High Assurance during Scale-Up ...............113

10 Claims Creation .................................................................................11710.1 Access Control Requirements at the Services ................................. 117

10.1.1 Discretionary Access Control List .................................... 11710.1.2 Mandatory Access Control ............................................... 11710.1.3 Access Control Logic ........................................................ 117

10.2 Access Control Requirement ......................................................... 11810.3 Enterprise Service Registry ............................................................12210.4 Claims Engine ...............................................................................12310.5 Computed Claims Record .............................................................124

11 Invoking an Application.....................................................................12911.1 Active Entities ...............................................................................12911.2 Claims-Based Access Control ........................................................130

11.2.1 Authorization in the Enterprise Context ..........................13011.3 Establishing Least Privilege ...........................................................13111.4 Authorizing the User to the Web Application ................................13111.5 Authorizing a Web Service to a Web Service .................................13511.6 Interaction between Security Components ....................................136

11.6.1 Access from within the Enterprise ....................................13611.6.2 Disconnected, Intermittent, or Limited Environments ...................................................................137

11.6.2.1 Prioritization of Communications .....................13911.6.2.2 Reduction of the Need for Capacity ..................14011.6.2.3 Asset Requirements ...........................................140



xii ◾ Contents

12 Cascading Authorization ....................................................................14312.1 Basic Use Case ...............................................................................14412.2 Standard Communication .............................................................14412.3 Pruning Attributes, Groups, and Roles ..........................................14412.4 Required Escalation of Privilege ....................................................14512.5 Data Requirements for the Pruning of Elements ...........................14612.6 Saving of the SAML Assertion .......................................................14712.7 SAML Token Modifications for Further Calls ...............................14712.8 An Annotated Notional Example ..................................................14812.9 Additional Requirements ............................................................... 15312.10 Service Use Case Summary ........................................................... 153

13 Federation ...........................................................................................15713.1 Federation...................................................................................... 15713.2 Elements of Federated Communication .........................................158

13.2.1 Naming and Identity ........................................................15813.2.2 Credentials .......................................................................15813.2.3 PKI—X.509 Certificates ..................................................15813.2.4 Certificate Services ...........................................................15813.2.5 Bilateral Authentication ...................................................15813.2.6 Authorization Using SAML Packages .............................. 15913.2.7 Registration of the STS .................................................... 15913.2.8 Recognizing STS Signatures ............................................ 15913.2.9 Translation of Properties, Roles, and Groups ................... 15913.2.10 Other Issues ..................................................................... 159

13.3 Example Federation Agreement ..................................................... 15913.4 Access from Outside the Enterprise ...............................................16313.5 Trusted STS Store .........................................................................16413.6 Trusted STS Governance ...............................................................167

14 Content Access Control ......................................................................16914.1 Authoritative and Nonauthoritative Content .................................17014.2 Content Delivery Digital Rights Management ..............................17014.3 Mandatory Access Control ............................................................17214.4 Access Control Content Management System ..............................17214.5 Enforcing Access Control ..............................................................17314.6 Labeling of Content and Information Assets ................................. 17414.7 Conveying Restrictions to the Requester ....................................... 17414.8 Enforcing/Obtaining Acknowledgment of Restrictions .................17514.9 Metadata .......................................................................................17514.10 Content Management Function ....................................................17514.11 Components of a Stored Information Asset ...................................177

14.11.1 Information Asset, Section A: ACL, MAC, and Data ......177



Contents ◾ xiii

14.11.2 Information Asset, Section B: Information Asset as Labeled .............................................................................177

14.11.3 Information Asset, Section C: Information Asset Signature(s) ......................................................................178

14.11.4 Information Asset, Section D: MDE Metacard ................17814.12 Additional Elements for Stored Information Assets .......................178

14.12.1 Key Words .......................................................................17814.12.2 Storage Location(s) of Key Word Metadata ......................17814.12.3 Reference Identity and Information Asset Description .....17914.12.4 Information Asset Name ..................................................17914.12.5 Information Asset Description .........................................179

14.13 Key Management Simplification ...................................................18014.13.1 Information Asset .............................................................181

14.14 Import or Export of Information Assets ........................................182

15 Delegation ..........................................................................................18315.1 Delegation Service .........................................................................18315.2 Service Description for Delegation ................................................18515.3 Form of Extended Claims Record .................................................18515.4 Special Delegation Service .............................................................188

16 The Enterprise Attribute Ecosystem ...................................................19116.1 User and Data Owner Convenience Functions ..............................192

16.1.1 Self-Registration (Partial) .................................................19416.1.2 User Attribute Service ......................................................19416.1.3 Service Discovery .............................................................19416.1.4 User Claim Query Service ................................................19516.1.5 Direct Service/Application Invocation ..............................19516.1.6 Trusted Delegation Service...............................................19716.1.7 Special Delegation Service ................................................197

16.2 Attribute Ecosystems Use Cases ....................................................19716.2.1 Process Flows Related to Security for Each Service ..........19716.2.2 Updating Claims ..............................................................19916.2.3 Adding a New Identity .....................................................19916.2.4 Adding a Service ..............................................................19916.2.5 Accessing Services ........................................................... 20016.2.6 Providing Delegation ...................................................... 20016.2.7 Providing Special Delegation ...........................................201

16.3 Attribute Ecosystem Services .........................................................20116.3.1 Authoritative Content Import Service(s) ...........................20216.3.2 Manage Import and Aggregation Web Application ..........20216.3.3 Manual Entry Web Application for Attributes .................20216.3.4 AE Import Service ............................................................202



xiv ◾ Contents

16.3.5 Enterprise Service Registry Web Application ...................20316.3.6 Manage Claims Engine Web Application .........................20316.3.7 Claims Engine ..................................................................20316.3.8 Manage Claims Web Application .....................................20316.3.9 Manage Delegation Web Application and Service ........... 20416.3.10 Claims Exposure and Editor Web Service ....................... 20416.3.11 Provide Claims Web Service ............................................ 20416.3.12 Delegation Web Application and Web Service ................ 20416.3.13 Manage Groups and Roles Web App ............................... 20416.3.14 Autoregistration Web App ................................................20516.3.15 Write Attribute List ..........................................................20516.3.16 User Query Attributes ......................................................20516.3.17 User Query Claims ..........................................................20516.3.18 Special Delegation Web Application and Web Service .... 206

17 Database Access ..................................................................................20717.1 Database Models ...........................................................................20717.2 Database Interfaces and Protocols ................................................. 211

17.2.1 SQL Databases .................................................................21217.2.2 XML Databases ...............................................................21217.2.3 Large-Scale Databases ......................................................21317.2.4 Geospatial Databases .......................................................213

17.3 Overall Database Considerations ...................................................21417.4 Enterprise Resource Planning Business Software ...........................21617.5 ERP as a Legacy System ................................................................217

17.5.1 ERP Attribute System Synchronization ............................21717.5.2 ERP Border System ..........................................................219

17.6 Hardening of ERP Database Systems ........................................... 22017.6.1 Hardening Stage One: Encryption of Data at Rest ...........22117.6.2 Hardening Stage Two: Encryption of Data in Transit ......22117.6.3 Hardening Stage Three: Claims Identity, Access,

and Privilege.....................................................................22317.6.4 Hardening Stage Four: Least Privilege for Application .....223

17.6.4.1 Financial Roles ..................................................22417.6.4.2 Application-Driven Database Operations ..........22517.6.4.3 Application-Driven Annotated Example ............22917.6.4.4 Data-Driven Database Operations .....................23017.6.4.5 Data-Driven Annotated Example ......................233

17.6.5 Hardening Stage Five: Homomorphic Encryption ...........240

18 Building Enterprise Software .............................................................24118.1 Services Types ................................................................................24118.2 Functionality of All Services ..........................................................242



Contents ◾ xv

18.2.1 Evaluating Inputs .............................................................24218.2.1.1 Extensible Markup Language ............................242

18.2.2 Credentials .......................................................................24518.2.3 PKI Required: X.509 Certificates .....................................24518.2.4 PKI Bilateral Authentication ............................................24518.2.5 Authorization Using Authorization Handlers ...................24518.2.6 Agents in the Enterprise .................................................. 246

18.2.6.1 Self-Help Agents ............................................... 24618.2.6.2 Embedded Agents .............................................24718.2.6.3 Monitor Sweep Agents ......................................24718.2.6.4 Import Agents ...................................................24718.2.6.5 Self-Protection Agents .......................................247

18.2.7 Data Keeping and Correlation .........................................24718.3 Service Model ................................................................................24818.4 Enterprise Services Checklist .........................................................24918.5 Enterprise Service Registry ............................................................25218.6 Service Discovery: Manual and Automated ...................................25218.7 Additional Considerations .............................................................254

18.7.1 Agents in the Enterprise Environment .............................25418.7.2 Code Elements of a Service ..............................................25518.7.3 Anatomy of a Service ........................................................255

18.7.3.1 Commercial Off-the-Shelf and Legacy Software ..25518.7.3.2 Load Balancing Applications .............................25518.7.3.3 Web Service Monitor Activities .........................256

18.8 Orchestration ................................................................................25718.9 ELS Interface .................................................................................25718.10 Access Control List ........................................................................258

19 Vulnerability Analyses........................................................................25919.1 Vulnerability Causes ......................................................................25919.2 Related Work .................................................................................261

19.2.1 Static Code Analysis .........................................................26119.2.2 Dynamic Code Analysis ...................................................26119.2.3 Penetration Testing ..........................................................26219.2.4 Code Analysis and Penetration Testing Summary ............262

19.3 Vulnerability Analysis ....................................................................26219.3.1 Vulnerability Analysis Objective ..................................... 26419.3.2 Vulnerability Analysis Information ..................................26519.3.3 Obtaining Vulnerabilities ................................................ 26619.3.4 Deriving Penetration Tests .............................................. 26619.3.5 Continuous Updating ......................................................26719.3.6 Review and Approve.........................................................267



xvi ◾ Contents

19.4 Flaw Remediation ..........................................................................26719.4.1 Flaw Remediation Objectives .......................................... 26819.4.2 Flaw Remediation Information ....................................... 26819.4.3 A Flaw Remediation Process ........................................... 26819.4.4 Flaw Remediation Quality System ...................................27119.4.5 Flaw Remediation Reporting ...........................................27219.4.6 Review and Approve.........................................................272

19.5 Summary .......................................................................................273

20 An Enterprise Support Desk ...............................................................27520.1 Monitoring ....................................................................................27520.2 Data Repository System .................................................................27620.3 Information for Service Monitoring ..............................................27720.4 Centralized Repository ..................................................................27820.5 Services by Type ............................................................................27820.6 Data Keeping Requirements ..........................................................27920.7 Naming Schema ........................................................................... 28020.8 Monitor Activities ......................................................................... 280

20.8.1 Data Generation ...............................................................28120.8.2 Log 4j Specification ..........................................................28720.8.3 Alerts and Automatic Response ........................................28820.8.4 SMTP Format for Alerts ..................................................28820.8.5 Requirements for Java and Service Exception Errors ........28820.8.6 Record Storage .................................................................292

20.9 Help Desk Breakdown ...................................................................29320.10 Customer Support and Help Desk .................................................29320.11 Levels of Service ............................................................................294

20.11.1 Level 0: Client Self-Help ..................................................29420.11.2 Level 1: Basic Information ................................................29420.11.3 Level 2: Interactive Support .............................................29520.11.4 Level 3: Security, Serious Bugs, and Vendor Support .......297

20.12 Using the Knowledge Repository .................................................. 30020.12.1 Information for Help Desk Operations ........................... 300

20.13 ESD Summary ..............................................................................302

21 Network Defense ................................................................................30321.1 Expected Behavior .........................................................................30321.2 Introduction ................................................................................. 30421.3 Current Protection Approaches .................................................... 304

21.3.1 Current: Unencrypted Traffic .......................................... 30621.3.2 Current: Encrypted Traffic .............................................. 306

21.4 An Alternative to Private Key Passing ............................................310



Contents ◾ xvii

21.5 A Distributed Protection System....................................................31221.5.1 Appliance Functionality In-Line ......................................31221.5.2 Appliance Functionality as a Service ................................312

21.6 Next Steps for Appliances ..............................................................31621.6.1 Real Demilitarized Zone ..................................................31621.6.2 Security Issue ...................................................................31621.6.3 Taking Advantage of Software-Only Functionality .......... 31921.6.4 Protecting the Server ........................................................ 31921.6.5 Handlers in the Server ......................................................322

21.7 Appliances That Change Content ..................................................32221.7.1 Wide Area Network Acceleration .....................................32421.7.2 An Introduction to WAN Acceleration ............................32421.7.3 Current WAN Accelerator Approaches .............................32521.7.4 An Alternative to Private Key Passing ..............................32921.7.5 Integrity in a TLS Session ................................................32921.7.6 Flows in a High Integrity System .....................................33021.7.7 Summary of WAN Acceleration .......................................331

21.8 Appliances: A Work in Progress .....................................................334

22 Concluding Remarks ..........................................................................33522.1 Where We Have Been and Where We Are Going..........................33522.2 Understanding the Approach .........................................................33622.3 About Those Takeaways .................................................................336

Appendix .....................................................................................................339

Bibliography ................................................................................................365

Index ...........................................................................................................379



95

Chapter 8

Claims-Based Authentication

Authentication is the process that deals with the establishment of identities. All entities have identities, and when communicating in IT systems, it is important that each part establish the identity of the communicating partner. However, because identities may be misrepresented and spoofed, it is important that these identities be validated and verified. The processes described here have been in use for some time, and PKI is an established part of those processes. The new requirements are the bilateral strong authentication and the requirement for unbroken end-to-end encrypted communication. Because the basic authentication processes have been in use for some time, the publication of the tailoring came later (2013) [52].

8.1 Authentication and identityAuthentication is responsible for establishing the identity of an entity. Authentication is achieved by receiving, validating, and verifying the identity cre-dentials. Identity credentials are issued for named entities in the enterprise. The name must be unique in space and time. Any ambiguity in identity will lead to a problem in accountability. To ensure this uniqueness, the certificate issuing author-ity (CA) must check its registry for other instances of the name. Once a certificate is issued, the name is added to that registry so that it is never used again. For cer-tificates, validation is achieved by encrypting a message with the private key of the requester and transmitting it to the provider. The provider can then validate that it was sent by the requester by decrypting it with the requester’s public key. This ensures that the requester is the holder of the private key. Verification is achieved



96 ◾ Enterprise Level Security

by verifying the trusted agent that issued the certificate, this authentication is two-way (the requestor authenticates the provider and the provider authenticates the requestor). In certain cases, additional claims may be examined (multifactor identification), including biometric measures.

8.2 Credentials in the enterpriseA credential is a claim (in this case of identity) that can be verified as accurate and current. Credentials must be provided for all active entities that are established in the enterprise in order to perform authentication. Prior registration as an active entity with a confirmable entity name is required. The forms of credentials in use include certificates, Kerberos tickets, and hardware tokens. Users are issued hardware tokens (Smart Cards) that have CA-issued certificates stored on them with the private keys stored in hardware on the card. Machines and services are issued software certificates that contain the public key with the private key gener-ated and remaining in hardware storage modules. Figure 8.1 shows the bilateral exchange of PKI certificates. This allows all active entities to identify the partner in communication.

8.3 Authentication in the enterpriseAuthentication is responsible for establishing the identity of an entity. Authentication is achieved by receiving, validating, and verifying the identity credentials. For certificates, validation is achieved by encrypting a message with the private key of the requester and transmitting it to the provider. The provider can then validate that it was sent by the requester by decrypting it with the requester’s public key. This ensures that the requester is the holder of the private key. Verification is achieved by verifying the trusted agent that issued the certificate, this authentication is

Active entity may beuser, web application, web service, aggregation service, exposure service,

token server, or any element that can be a requestor or provider

Requestor Provider

Activeentity

AActiveentity

BClaims-based bilateral

authentication required

PKI

PKI

Figure 8.1 Claims for authentication using PKi.



Claims-Based Authentication ◾ 97

two-way (the requestor authenticates the provider and the provider authenticates the requestor). In certain cases, additional claims may be examined (multifactor identification), including biometric measures.

8.3.1 Certificate Credentials

The required credential for enterprise personnel is an enterprise-issued X.509 (currently version 2.1), RSA-based certificate. X.509 certificates are used to bind an entity name to a public key in the PKI and to hold additional attributes (such as organizational unit data and other data encoded in the identity). The certificates are used by authentication and authorization services, digital sign-ing, and other cryptographic functions. Enterprise certificate credentials for users must be obtained through designated trusted CAs. The CA provides the enterprise PKI credentials for users, devices, and services. Certificate creden-tials contain nonsecret (publicly available) information. A hardware token that contains the certificate is preferred to software-only certificates. For enterprise users, the method of credential storage is an enterprise-issued card with a highly secure tamper-proof hardware store, which is FIPS 140-2 Level 2 validated for cryptographic tokens [2h].

Software certificates (used in addition to hardware tokens) are in the PKCS#12 [20] formats and must be installed in certificate storage associated with the entity that owns the certificate or its host device (which must also be credentialed). A user may have a software certificate issued by a designated CA that is installed in cer-tificate storage in the user’s host device. For devices and services that are estab-lished in the enterprise, a software certificate is acquired from a designated CA and is installed in certificate storage on the device itself and on the host device. For hardware elements outside the enterprise, PKCS#12 files may be maintained as backup offline—but, in general, they should not be stored on the hardware device attached to the network. The certificate credential for an entity must contain the enterprise-unique and persistent identifier in the certificate subject identity field (for users, this is the extended common name, and for devices and services, this is the universally unique identifier [UUID]) in accordance with the enterprise naming standard (an example is provided in Reference 53).

8.3.2 Registration

The registration function is a service that creates and maintains the information about the identities of entities in the enterprise. There are three main issues to consider:

◾ Kerberos tickets: Kerberos is a network authentication protocol originally developed by the Massachusetts Institute of Technology, and now docu-mented in several Internet Engineering Task Force (IETF) Internet Drafts




and RFCs [4k]. Kerberos tickets are used with enterprise active directory (AD) forests.

◾ Authentication and attribute assertion tokens: Once authentication is estab-lished, the attributes of the identities are used to produce authorization claims. The primary method for expressing authorization claims in the enterprise uses derived credentials based on attribute assertion tokens at the message layer. These tokens contain security assertions and are obtained from an STS. These tokens are based on the SAML (current version) standard [1a–i]. Although the standard allows for authentication elements in the SAML token, they are not used in this formulation. SAML is used only for authorization. A binding to authentication is achieved by performing a match between the distinguished name used in SAML and the authentication commonly called a holder-of-key (HOK) check.

◾ Interoperability of credentials: Public key cryptography depends on the ability to validate certificates against a trusted source. The use of PKI is discussed in Reference 54. External information sharing includes authen-tication based upon a federation agreement that specifies approved primary and derived credentials. The credentials will be configured for such federations.

8.3.3 Authentication

The enterprise supports two general methods for authentication: Kerberos-based and direct PKI. Authentication relies on certificates.

◾ Devices and services authentication PKI: Devices and services are config-ured to authenticate themselves to the identity provider of the enterprise using bilateral TLS [4m]. The authentication relies on enterprise-issued PKI certificates.

◾ User initial authentication to the domain: The user authenticates using the PKI-enabled logon program, which asks the user for a passcode that is, in turn, used as an index to a Kerberos key. This is a hybrid approach in which the hardware token is read and user ownership is sought by presenting an input screen for the passcode associated with the hardware token. An under-lying program is invoked, completing the authentication by PKI (Kerberos supports both password-based user authentication and PKI-based principal authentication with the PKINIT extension) using the certificate stored on the card. The Kerberos-based authentication uses the PKINIT and Kerberos protocols. For enterprise operations, users authenticate to the identity man-ager with the enterprise hardware token. The hardware token credential is used only by human users, and either soft certificates or certificates stored in hardware storage modules are used for other entities. The user authenti-cates to the domain controller using a smartcard logon program such as the




common access card (CAC) or another approved active card and authenti-cates using the hardware token and a user-supplied passcode. Multifactor authentication is not currently implemented, but it may be used at this point. Biometric measures will increase the strength of authentication. The PKI ini-tiation program is invoked, completing the authentication by PKI. External users (users communicating from outside the enterprise) are then provided a virtual private network (VPN) tunnel and treated as if they were within the domain. Kerberos supports both password-based user authentication and PKI-based principal authentication (with the PKINIT extension); however, the enterprise uses only PKI-based principal authentication. Successful com-pletion of the logon procedure signifies successful authentication of the user to the domain controller (a timeout will occur at preconfigured period—more details are provided in Reference 55).

◾ User authentication to services using PKI: It is assumed at this point that the user has successfully authenticated to the identity manager using PKI. If the user wishes to access any other web service through the web browser, he/she does so using hypertext transfer protocol secure (HTTPS). All entity drivers will be configured to use TLS mutual authentication. This addition-ally provides Transport Layer confidentiality, compression, and integrity (through message authentication) for subsequent message layer traffic over HTTPS. This validates the user’s certificate and passes the certificate to the web service being accessed.

◾ Service-to-service authentications: Requesters make requests for capabilities from web services. In all cases, any capability request is preceded by TLS mutual authentication. Services may request other web services for capabili-ties (service providers). Services may include web services, utility services, and others.

8.4 infrastructure Security Component interactionsFigure 8.2 shows the basic authentication flows required prior to all interactions. This flow is the basic TLS setup.

When a requester wishes to use another service, four active entities come into play. Details are provided in Figure 8.3. The active entities are listed below.

◾ For a user:– The user (requester) web browser—a standard web browser that can use

the hypertext transfer protocol (HTTP) and HTTPS drivers (including the TLS driver) on the platform

◾ For a service:– The requester host platform– The STS in the requester’s domain




Server hello (timestamp,random bytes, session ID,cipher suite); servercertificate; certificaterequest (signature types,trusted CAs); server hellodone

Change cipher spec;encryptedhandshake

Encrypted HTTP response

Client hello (TLSversion, timestamp,

random bytes, ciphersuites)

Client certificate

Encrypted HTTP request

ServerClient

Figure 8.2 Authentication flows.

Enterprise attribute storeAttribute

serviceMastervirtual

directorystore

DatabaseData

gathering

Webbrowser

STS

TLS pipe

Applicationserver

TLS pipe

TLS pipe

Figure 8.3 Web browser request for service message flows.




– The EAS– The requested service (application server) in the resource application

environment

8.4.1 Interactions Triggered by a User Request for Service

The user first makes a request to STS. Included in that request is an identifier (the URI [4c]) or a token referring to this identifier of the target service. The STS will generate the SAML credentials and return them to the browser with instructions to redirect to the service and post the SAML in this request to the application server (see Figure 8.3). If HTTPS messages are used, then bilateral authentication and establishment of Joan Daemen TLS encryption using AES 256, as discussed in Chapter 5, takes place based on the configuration of the servers and the web browsers.

8.4.2 Interaction Triggered by a Service Request

This is similar to the flow in Figure 8.4, except that instead of a browser requesting a service, another service formulates and makes the request. Note that authentica-tion has nothing to do with authorization, which is performed via a SAML token as discussed in Chapter 9. Authentication tokens are issued to ALL active entities and are called authentication or PKI certificates.

The web application or service (on application server 1) sends a service request to the web service (on application server 2) as shown in Figure 8.4. This request is followed by bilateral authentication and the establishment of a TLS encrypted session. The encryption uses AES 256, as discussed in Chapter 5. This is then followed by an authorization credential, as discussed in Chapter 9.

8.5 Compliance testingAuthentication testing verifies that the bilateral PKI-based authentication is work-ing properly in the enterprise. This includes testing TLS on every connection in the security flows. Packet captures are done on nodes in the flow, and then TLS traffic is checked for certificate exchanges and encryption. Further checks for currency are made by calling the online certificate status protocol (OCSP) responder, which is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. Calls and returns verify that certificate status is being checked correctly. The packet captures are executed for a request to the STS. Authentication testing covers revoked and expired certificates as well as certifi-cates that have been modified or tampered. Captures show OCSP traffic for the revoked certificate.




8.6 Federated AuthenticationFederated communications must meet all of the enterprise requirements, including the following:

◾ Naming PKI certificates ◾ Certificates issued by a recognized certificate issuer ◾ Valid, not-revoked, dates ◾ TLS mutual authentication ◾ Multifactor authentication as required ◾ SAML tokens from designated authorized STSs that meet all of the above

requirements

The federation partner must present a PKI certificate that meets enterprise requirements as described below and is issued by a trusted certificate authority. Trust

Applicationserver 1

Applicationserver 2

TLS

pipe

Web applicationor service

Web service

TLS

pipe

TLS pipe

STS

Enterprise attribute store

DatabaseData

gathering

Mastervirtual

directorystore

Attributeservice

Figure 8.4 Web service request for service message flows.




is signified by including the certificate authority in the trust list. When required, enforcement of multifactor authentication is undertaken at this point. In cases in which a trusted certificate authority cannot be found, the federation partner must be issued an enterprise PKI certificate and be included in the enterprise attribute stores.

8.6.1 Naming and Identity

Identity is established by the enterprise or the requesting agency as agreed to in the federation agreement. In the enterprise, this is primarily through the enterprise naming contained in the enterprise-issued X.509. These names should be standard-ized throughout the enterprise and satisfy the property of uniqueness over space and time. For people, this name is the enterprise standardized name, but naming schemes for other certificate authorities are accepted based on federation agree-ments. The identity used by all federated exchanges is the distinguished name as it appears on the primary credential provided by the certificate authority. If there is a collision, mapping of federation names is required.

Credentials are an integral part of the federation model. Each identity requiring access is credentialed by a trusted credentialing authority. Further, the STS used for generating SAML [1a–i] tokens is also credentialed (as are all active entities in the enterprise). The primary exchange medium for setting up authentication of identities and setting up cryptographic flows is the PKI embodied in an X.509 certificate. The certificate authority must use known and registered (or in specific cases, defined) certificate revocation and currency-checking software.

8.6.2 Translation of Claims or Identities

Identities are translated as indicated in the federation agreement. For simple federa-tion, where requests are across the enterprise domains, there is no mapping, because the identities are already in the appropriate form. In any event, the mappings will be rare if distinguished names are used and will only be needed when anonymity is a requirement or a collision occurs between the names provided by designated certificate authorities.

8.6.3 Data Requirements

Configuration files are developed and maintained as specified in enterprise requirements.

All configuration files and stored data are appropriately protected using cryp-tographic services. Even though these files are distributed for proximity to the relevant service, they are centrally maintained by an appropriate service agent mechanism.




8.6.4 Other Issues

All code that is generated is subject to code assurance review/tools, with risks identified and resolved.

WS-Reliable Messaging [1k], WS-Secure Conversation [1l] is used for commu-nication between active entities. The selection of either WS-Reliable Messaging or WS-Secure Conversation is based on session efficiency.



Documents

Enterprise Level SECURITY - IT Today · Enterprise Level SECURITY SECURING INFORMATION SYSTEMS IN AN UNCERTAIN WORLD Dr. William R. Simpson Award-winning cybersecurity architect for