![Page 1: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/1.jpg)
Securing the Broker Pattern
Patrick Morrison
12/08/2005
![Page 2: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/2.jpg)
Presentation Outline
• Present Broker
• Discuss security issues with Broker
• Survey CORBA as a Broker implementation that addresses security
• Abstract these ideas into Secure Broker
![Page 3: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/3.jpg)
Broker Pattern
• The Broker architectural pattern can be used to structure distributing software systems with decoupled components that interact by remote service invocations. A broker component is responsible for coordinating communication, such as forwarding requests, as well as for transmitting results and exceptions. [POSA1]
• (e.g. WWW, CORBA)
![Page 4: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/4.jpg)
Problem
• Broker decouples communications from application concerns, but does not address security issues; un-addressed, these can compromise an application’s usefulness.
• In addition to Broker’s role in decoupling communications from applications, the Secure Broker must:
– Protect Clients from illegitimate Servers and Brokers
– Protect Servers from illegitimate Clients and Brokers
– Protect Brokerss from illegitimate Clients and Servers
![Page 5: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/5.jpg)
Problem in Stick Figures
• Forgery– Client: I’m Bill Gates, please give me $1M– Broker: I’m Bank of America, deposit your money here.– Server: I’m Wells Fargo, I can carry those money bags away for
you.• Betrayal (by Trusted Server)
– Client: Give me my Bank– Broker: Here’s your Bank– Bank: (Actually the Bad Guy’s server)
• Denial (of Service)– Client: I’d like to speak to my Bank. – Broker: What Bank?
![Page 6: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/6.jpg)
Forces
• The existing Broker pattern does not address security concerns.
• Broker will typically require security
• Security is difficult to ‘get right’
• Implementations of Broker have addressed security concerns – CORBA, WWW
![Page 7: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/7.jpg)
(One Possible) Solution
• Find implementations of Broker that address security concerns
• Evaluate their security attributes
• Factor lessons learned back in to the original pattern.
• Motto: “Prefer discovery to invention.”
![Page 8: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/8.jpg)
Broker in Detail
• Class Diagram
• Sequence Diagrams
• Security issues in the Scenarios/Use Cases
![Page 9: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/9.jpg)
Broker Class Diagram
![Page 10: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/10.jpg)
Server Registration
![Page 11: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/11.jpg)
Client Requests Service
![Page 12: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/12.jpg)
Broker Forwards Request
![Page 13: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/13.jpg)
Implementation Evaluation:CORBA
• CORBA in Broker terms
• Security Architecture
• Lessons Learned
![Page 14: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/14.jpg)
CORBA in Broker Terms
![Page 15: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/15.jpg)
CORBA Security Threats Addressed
• An authorized user of the system gaining access to information that should be hidden from him.
• A user masquerading as someone else, directly or through delegation.
• Security controls being bypassed.
• Eavesdropping on a communication line
• Tampering with communication
• Lack of accountability due, for example, to inadequate identification of users.
• Source: Corba Security Service v1.8, sect. 1.1.3
![Page 16: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/16.jpg)
CORBA Security Overview
• Principals are the primary actors• Principals have credentials indicating what
their permissions are• Credentials are issued by a trusted
intermediary (“Principal Authenticator”)• Targets are the primary resources requested• A given object may be Principal and Target• Policies relate credentials to Principals
![Page 17: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/17.jpg)
CORBA Security Overview
• Secure Object Invocation– Establish trust relationship between Principal and
Target• Authenticate each other• Present Principal credentials to Target object• Establish security context
– Determine whether Principal may execute the requested Target operation
– Audit the invocation– Protect request and response from tampering and
eavesdropping
![Page 18: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/18.jpg)
CORBA Security Overview
• Access Control Model– Object Invocation Access Policy
• Enforced by Proxies/ORB
• Enforced through Access Decision functions– Binary result: yes/no, allow/deny
– At Principal: rules for invocation “Can I ask Johnny to come out and play?”
– At Target: rules for accepting request “Not after 6.”
• Policies built on top of access decision framework
![Page 19: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/19.jpg)
CurrentCurrent
ORB Core ORB Core
Target
ORB Security
Security Association
Security Association
ORB Security
Access control
Secure Invocation
SecureInvocation
Access controlAccess Decisio
n
Access Decisio
n
Access Decisio
n
Access Decisio
n
PolicyPolicyObj-
Reference
Obj-Reference
ClientClientCredentialsCredentials
CurrentCurrent
CredentialsCredentials
Security Association
Security Association
PolicyPolicy
Secure Inter-
operability
Big Picture
![Page 20: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/20.jpg)
CORBA Invocation SecurityClient Application
(Message Sender)
ORB
Security Enforcement Subsystem
Execution Context
Credential
Identity
Privileges
Message
Policy Enforcement Code
Target Object
Domain
Domain Policy
![Page 21: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/21.jpg)
CORBA Security Overview
The Untold Story– Policies– Domains– Non-Repudiation
![Page 22: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/22.jpg)
CORBA in UML: Credentials
![Page 23: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/23.jpg)
CORBA in UML goes here
• Presentation status: The glue’s not quite dry. Mea culpa.
![Page 24: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/24.jpg)
CORBA Lessons
• Security begins with Identity – Principals, authorization
• Implement access control in the proxies and Broker
• Implement mechanism, not policy
• Implement (optional) encryption when messages pass across bridges.
![Page 25: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/25.jpg)
Secure Broker
Intent: Provide secure interactions between distributed components.
Example: Online Bank, Customer makes withdrawal – want to be sure that the Customer gives his account only to the Bank, and that the Bank distributes the Customer’s money according to the Customer’s wishes.
Context: Distributed computing systems, homogeneous or heterogeneous.
![Page 26: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/26.jpg)
Secure Broker
Problem: Broker decouples communications from application concerns, but does not address security issues; un-addressed, these can compromise an application’s usefulness.
In addition to Broker’s role in decoupling communications from applications, the Secure Broker must:
– Protect Clients from illegitimate Servers and Brokers
– Protect Servers from illegitimate Clients and Brokers
– Protect Brokers from illegitimate Clients and Servers
![Page 27: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/27.jpg)
Secure Broker
• Forces– Broker distributes objects, but distribution does
not imply trust– Client access to Servers may need to be
restricted– Server access to Clients may need to be
restricted– Trust for an intermediary can be established
![Page 28: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/28.jpg)
Secure Broker
• Solution: ‘Borrow’ CORBA security ideas for application to the Broker pattern– Identity– Credentials– Access Decisions
![Page 29: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/29.jpg)
Secure Broker Structure
![Page 30: Securing the Broker Pattern Patrick Morrison 12/08/2005](https://reader030.vdocuments.us/reader030/viewer/2022032723/56649d145503460f949e80c8/html5/thumbnails/30.jpg)
Next Steps
• Sequence Diagrams
• Other implementations
• Other patterns: Broker Revisited, Lookup