what are realistic threats?

• To: zurko@osf.org
• Subject: what are realistic threats?
• From: rosenthl@mcc.com (Doug Rosenthal)
• Date: Tue, 27 Sep 94 13:29:40 CDT
• Cc: www-security@ns1.rutgers.edu
• In-Reply-To: Mary Ellen Zurko's message of Tue, 27 Sep 94 9:13:45 EDT <9409271313.AA00607@link.osf.org>
• Reply-To: rosenthl@mcc.com (Doug Rosenthal)

   Then there's "assuming how it's used today, by the people who are
   using it today, in the ways they're using it today". I think that's
   where Dave and Phill are mostly coming from. However, if you just talk
   the technology that will solve the threats (public keys for signing
   and encrypting, for instance) you shouldn't forget deployment (how
   people get all the public keys for all the people they'll communicate
   with, for instance). That means services that are trusted (at least to
   the extent that they're available, to prevent total denial of
   service), as well as scalable. Then there are WWW architectural
   gotchas (proxies and caching). 

Indeed, it seems like deployment is sometimes overlooked in the web
(pardon the pun) of security technology discussions.  The management
of public keys is a prime example, especially wrt on-line commercial
services.  I think such services will need an on-line certificate
directory service to validate public keys, especially when financial
transactions are involved.  I.e., the use of CRLs won't be timely or
efficient enough for commercial services.  Wrt trusted services, there
are physical site/host/network issues to be addressed, including the
definition and use of appropriate security policies and procedures for
operating such services.

   The classic security services for contering threats are
   authentication, authorization, data integrity, and data protection
   (privacy). Authentication is pretty useless without authorization, but
   sometimes the authorization models are so simple as to not matter (if
   I can authenticate them, they can do anything, as in node login). As
   Phill points out, this is unlikely to be good enough for people using
   HTTP methods that alter data. We plan on using DCE authorization
   services to create a simple ACL manager that maps HTTP methods to ACL
   permissions, as a start. Services like Kerberos, S-HTTP, and Shen seem
   to address all of these. But they're all communications-centric. In
   terms of document integrity, people will begin to want signed
   documents, not signed communication of documents (who's the author,
   not just who's the server). And there's been some discussion on
   www-talk of how to control information dissemination from the point of
   view of publishing (an authorization problem that's classically been
   solved with Mandatory Access Controls, which would never work on the
   Internet). 

   Then there's "how do people what to use it" or, more likely "how do we
   think people will want to use it when we've done things to it". It
   seems to me that how businesses use the network is different from the
   classic Internet model. Businesses will want the same sorts of
   services mentioned already, but in ways that are easy to administer,
   and fall in line with their organization model (usually hierarchies of
   groups, perhaps loosely connected trees). And, I think we should ask
   people who they want to use it (I plan on doing that soon). That's
   something that really can't be done well on www-security, since
   there's very few "users", and vastly more "providers". 

True again.  We have integrated several Internet applications (WWW,
WAIS, FTP, etc., including our popular macWeb and winWeb clients) with
Kerberos and a distributed authorization mechanism, which enables
service providers to define discretionary access controls on the
documents/scripts/services/etc. which they are providing.  The access
controls are specified in terms of Kerberos IDs, thus allowing service
providers to specify access controls for both individual and
organizational/group identities.

Wrt privacy and integrity, we've developed a DES-based network stream
encryption (software) module which client/server applications can use
to conveniently protect data transfers.  We're in the process of
adding public key technology into the security system as well, which
will enable digital signatures to be associated with commercial
service transactions.  I think the use (and acceptance) of digital
signatures will increase as electronic commerce becomes more
prevalent, with signatures being used for both transmittal and
archiving of data.

As you say, ease-of-use/administration is critical to the successful
deployment of security technology.  For example, we've recently
developed GUI applications for both end-users and security system
administrators to ease the management of user/service IDs and
related encryption keys (and eventually certificates).


- Doug

Doug Rosenthal
MCC EINet                    |  Email: rosenthal@mcc.com
3500 W. Balcones Center Dr.  |  Voice: 512-338-3515
Austin, TX USA 78759         |  Fax:   512-338-3897

• re: what are realistic threats?
• From: zurko@osf.org (Mary Ellen Zurko)

• Previous: re: what are realistic threats?
• Next: re: what are realistic threats? (second issue)
• Index(es):
  • Index
  • Thread