Professional Documents
Culture Documents
Information Security in The Clientserver Environme
Information Security in The Clientserver Environme
net/publication/36369521
CITATIONS READS
0 6,379
1 author:
Reinhardt A Botha
Nelson Mandela University
87 PUBLICATIONS 603 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Reinhardt A Botha on 07 November 2014.
in the
Client/Server environment
by
Reinhardt A. Botha
Information Security in the Client/Server environment
by
Reinhardt A. Botha
DISSERTATION
MAGISTER SCIENTIAE
in
COMPUTER SCIENCE
in the
FACULTY OF SCIENCE
of the
May 1997
To my wife, Adéle
SUMMARY
The importance of a security policy and more specifically the influence of the
client/server environment on such a policy are discussed and it is
demonstrated that the framework can assist in drawing up a security policy for
a client/server environment.
3. CLIENT/SERVER ARCHITECTURE...............................................................................11
3.1 CLIENT/SERVER ARCHITECTURE......................................................................................11
3.2 THE UI PARTITION ..........................................................................................................14
3.3 THE STORAGE PARTITION ...............................................................................................16
3.4 THE LOGIC PARTITION.....................................................................................................19
3.5 ORACLE AND THE VARIOUS CLIENT/SERVER PARTITIONS ................................................22
3.5.1 ORACLE and the UI partition ...........................................................................22
3.5.2 ORACLE and the storage partition ..................................................................23
3.5.3 ORACLE and the logic partition .......................................................................24
3.6 CONCLUSION .................................................................................................................25
4. THE FRAMEWORK.........................................................................................................26
4.1 THE FRAMEWORK ...........................................................................................................26
4.2 A STRATEGY FOR COMPLETING THE FRAMEWORK.............................................................27
6. APPLICATION FRAMEWORKS.....................................................................................39
6.1 ECMA SECURITY FRAMEWORK .......................................................................................39
6.1.1 ECMA and the client/server environment ........................................................42
6.1.2 ECMA and the security framework ..................................................................43
6.2 OSF DCE .....................................................................................................................45
6.2.1 The DCE and the client/server environment ....................................................47
6.2.2 The DCE and the security framework ..............................................................48
6.2.3 Kerberos...........................................................................................................49
6.2.3.1 Kerberos and the client/server environment ............................................................... 52
6.2.3.2 Kerberos and the security framework ......................................................................... 52
6.3 CONCLUSION .................................................................................................................54
11. CONCLUSION...............................................................................................................101
11.1 FURTHER RESEARCH ...............................................................................................102
A. BIBLIOGRAPHY ...........................................................................................................103
B. ARTICLE........................................................................................................................108
1. INTRODUCTION
1
1.1 Background information
Developments within the computer industry did not stagnate either. In fact, the
information explosion and the technology explosion within the computer
industry go hand in hand. The result of all this growth is that a large collection
of different technologies exists today within the business community.
The need for these technologies to interact with one another brought many
challenges to the computer industry. Research directions, such as
client/server computing, federated databases and networking, paved the way
for these different technologies to work together in an efficient manner.
These “new” technologies are leading to an increased level of data and other
resource sharing between different users. This co-operative way of working
has led to more openness in systems, in that data is more accessible and
available. This growing importance of openness in systems, places a definite
burden on the security of the system. The notions “open systems” and “secure
systems” seem to be contradicting one another.
This section defines certain key concepts used throughout the dissertation.
2
INTRODUCTION
The network boom paved the way for the uprising of the client/server
infrastructure [STRA93].
For the above reasons client/server systems are gaining popularity by the
day. However, frequently security is given little consideration when the
decisions are made.
• How much has been done to address the issue of security within the
client/server environment?
3
INTRODUCTION
measures need to be taken on the application level? How does the user
interface influence the security of the system?
This study shows that a synergy between the client/server partition and its
information security needs exists.
4
INTRODUCTION
5
2. INFORMATION SECURITY
2 ATTRIBUTES
Traditionally the purpose of information security for information security
specialists is to preserve the three security attributes: confidentiality, integrity
and availability [PARK95]. However, Donn Parker [PARK95] presents a further
three attributes of secure information: utility, authenticity and possession. This
chapter will define all six attributes within the context of this dissertation.
2.1 Availability
Two areas impact on the availability attribute. Firstly the information should be
accessible, i.e. it should be reliably stored in an appropriate place. Secondly
the means to actually access the information should exist, i.e. the necessary
computer infrastructure should exist and be at the disposal of whoever
requests the information.
deleting of files
accidental overwriting of files
disk crashes
infrastructure problems, e.g. network unavailability
natural disasters
List 2-1 presents a list of possible threats to the availability of information. The
deleting of files off the magnetic storage medium results in the loss of
availability since it cannot be retrieved by the average user. Note however
that this may be influenced by the operating system under which the file
system was created. In certain instances it may not result in a permanent loss
of the information, but merely present an inconvenience to the knowledgeable
user. In the case of a disk crash the loss could be permanent if the necessary
INFORMATION SECURITY ATTRIBUTES
precautions have not been taken. Accidental overwriting of a file could occur
when an existing file is replaced by another, e.g. copying a file to the same
name, resulting in the original information becoming unavailable. If the
network infrastructure becomes unavailable the information, although still
intact at storage level, cannot be accessed by the users and is therefore
unavailable. Similarly natural disasters may cause the abovementioned
network unavailability, the breakdown of equipment or the destruction of the
magnetic media, resulting in information becoming unavailable.
2.2 Utility
availability of information
user interface design
loss of cryptography key
misrepresentation of data
List 2-2 presents a list of possible threats to the utility value of the information.
The usefulness of the information depends on the availability of the
information, since unavailable information cannot be useful in any way.
Furthermore the usefulness is greatly enhanced by the proper design of a
user interface. The user interface design should form an integral part of the
system’s development lifecycle to ensure that the information presented is
meaningful to the user. Although all relevant information may be presented to
the user the actual manner in which this is done may to a large extent
influence the utility value of the information. For example, information
presented in a massive table may prove useless to users unless studied for
days, whereas the same information depicted on an appropriate graph can be
used instantly.
7
INFORMATION SECURITY ATTRIBUTES
2.3 Integrity
storage errors
electrical/magnetical interference
database design
unauthorized changes
As displayed in List 2-3 several threats exist that endanger the integrity of
information. Storage errors, like the malfunctioning of a disk drive, could lead
to the loss of integrity of the data that is stored on it. Similarly writing to a bad
sector on a disk could cause the written data to be unsound.
Both of the above issues have to do with physical integrity, whereas database
design points to the logical integrity of the data. This could be increased
considerably by enforcing referential integrity during the design process.
It is also noteworthy to mention that the integrity of data depends on the ability
to only allow properly authenticated authorized users to change information in
the database. If unauthorized changes are allowed then the integrity of the
information in the system can be seriously damaged.
2.4 Authenticity
8
INFORMATION SECURITY ATTRIBUTES
2.5 Confidentiality
Possible threats to confidentiality are listed in List 2-5. The issue of users
being authorized to access the information is of the utmost importance for
confidentiality of information. If an unauthorized user can read the information
it cannot be considered confidential. Sometimes confidentiality can be
threatened by the mere knowledge of the existence of certain information. For
example, if a company is in the process of considering the rationalization of
staff then knowledge of the existence of such documents by staff, who could
possibly be influenced by the rationalization process, could be very disruptive
to the organization.
2.6 Possession
stolen hardware
natural disasters
stolen magnetic media
copyright and trade secret violations
9
INFORMATION SECURITY ATTRIBUTES
2.7 Conclusion
This chapter defined the different security attributes that need to be protected
to have secure information. Different organizations, however, have different
security needs. These attributes therefore form a part of the presented
framework in order to allow an organization to choose the attributes that are
relevant to their situation.
The following chapter will identify the different partitions that exist in the
client/server environment, explaining how an EDMS could be implemented for
each of these partitions.
10
3.
3 CLIENT/SERVER ARCHITECTURE
This chapter defines the term client/server. Thereafter it studies possible ways
in which a system can be partitioned within a client/server environment. These
partitions are then presented in more detail by evaluating how an electronic
document management system could be implemented for each of the
partitions.
One fact that exists when defining the term client/server is that by virtue of the
name it consists of at least the following two components: clients and servers.
The first controversy, however, arises just after this fact has been established,
namely what is the role of the client and what is the role of the server. In order
to answer this question the basic components firstly have to be considered:
♦ Servers
♦ Clients
The clients represent the “other” resources requesting a service from the
server. For example, a workstation running a program requiring information
from a database.
11
CLIENT/SERVER ARCHITECTURE
Logic Module
User Interface Information
Presentation Application Information
Module sub-module logic sub- logic sub- Storage
(UI) module mudule Module
The user interface module controls all user interaction, i.e. all input and
output. The presentation logic sub-module processes the user input and
prepares the user output. The application logic sub-module is where the
computationally complex tasks are performed. The information logic sub-
module determines which data is stored and retrieved and the manner in
which it is done, e.g. it would determine the query which has to be sent to the
database. The information storage module reads and writes data from the
media where it is stored.
12
CLIENT/SERVER ARCHITECTURE
Logic module
SERVER
CLIENT
User Interface Information
Presentation Application Information
module logic sub- logic sub- logic sub- Storage
(UI) module module mudule module
UI partition
Logic module
SERVER
CLIENT
Logic partition
Logic module
SERVER
CLIENT
Storage partition
Figure 3-2: Three client/server partitions
13
CLIENT/SERVER ARCHITECTURE
The client workstation will only present the information. In other words, the
client will present the information according to instructions received from the
server. For example, the server will decide which document has to be
displayed, as well as the manner in which the document should be displayed.
The UI module, therefore, has extremely limited logic embedded in it, as it
only has to know how to write to the output devices and how to receive input
from the user.
{ The user requests “the memos that were sent by Mr. A.N. Other during
September 1996“ by using the input devices provided by the client
workstation.
| The user interface module on the client interprets the input and
translates it into a format that is understandable by the presentation
logic sub-module on the server. This could, for example, be
“memos”;;;; “A.N.Other”;;;”September 1996”.
14
CLIENT/SERVER ARCHITECTURE
SERVER
Storage module
Storage logic
sub-module
Application logic
sub-module
Presentation logic
sub-module
User Interface
module
CLIENT
DOCUMENT_TYPE = “MEMOS”;
AUTHOR = “A.N.OTHER”;
ISSUE_DATE IN “SEPTEMBER 1996”
15
CLIENT/SERVER ARCHITECTURE
13524 H:\dir1234\d1145873.wpd
13892 E:\dir9876\f8935467.wpd
14121 Z:\dir7845\e6428193.xls
From the above explanation it is evident that the client has very limited
responsibility in the user interface partition.
This partition represents a widely used client/server platform. Due to the fact
that vendors frequently develop products for multiple platforms the application
program often addresses certain issues, e.g. integrity checking. The main
reason behind this is the different levels of offered security features between
commercial databases. The server therefore only performs a storage function
and all the other functions are shifted to the client.
16
CLIENT/SERVER ARCHITECTURE
Any application submitting information to the database must ensure that the
integrity of the database is not damaged through manipulation of the values.
This however leaves the integrity of the database to “good faith” as any
person who can gain access to the database could intentionally or
unintentionally harm the integrity of the data.
In order to ascertain how a query will function within this partition the following
task should be considered: Store the index information of a new electrical
drawing draughted by N.O.Green on 10 September 1996.
Figure 3-4 depicts the execution of above task within a storage partition
environment.
SERVER
Storage module
Storage logic
sub-module
Application logic
sub-module
Presentation logic
sub-module
User Interface
module
CLIENT
the UI module. In this case the command is “to store the index
information of a new electrical drawing draughted by N.O.Green on 10
September 1996”.
| The user interface module interprets the input and translates it into a
format that is understandable by the presentation logic sub-module.
For example: “drawing”;;”electrical”;;”N.O.Green”;;;”10
September 1996”.
DOCUMENT_TYPE = “DRAWING”;
DOCUMENT_DISCIPLINE = “ELECTRICAL”;
AUTHOR = “N.O.Green”;
ISSUE_DATE = “10 SEPTEMBER 1996”
18
CLIENT/SERVER ARCHITECTURE
The UI module will receive the instruction to display the output which
was decided upon by the presentation logic sub-module. Thereafter it
performs the necessary actions to update the relevant output devices.
From the discussion of the storage partition it is evident that the client, for the
storage partition, has a much larger responsibility than the server.
The ideal within a client/server environment is to utilize the client and the
server for the functions that they are respectively good at. The client is best at
displaying information and servers are best at storing information, which
would imply that the UI module must reside on the client and the information
storage module must reside on the server. The question that subsequently
arises is “What about the logic module?” The logic module consists of three
19
CLIENT/SERVER ARCHITECTURE
sub-modules that can be positioned in various ways. Since the client presents
the user interface the presentation logic sub-module can be located on the
client. The information logic sub-module can reside with the server as this is
where the information is stored. The application logic sub-module could then
reside on the client if no intensive processing is done; or it could reside on the
server if much processing power is needed; or it could be split between the
client and the server to appropriately share computing resources.
Figure 3-5 can be used as reference for discussion on how this will take
place.
SERVER
Storage module
Storage logic
sub-module
Application logic
sub-module
Presentation logic
sub-module
User Interface
module
CLIENT
20
CLIENT/SERVER ARCHITECTURE
{ The user manipulates the user interface by using the various input
devices to request to view document “ABCD”.
| The client interprets the input and provides the presentation logic sub-
module with the corresponding request.
SELECT DOCUMENT_IMAGE
FROM DOCUMENT
WHERE DOCUMENT_ID = “ABCD”
The application logic sub-module on the client will pass the prepared
image to the presentation logic sub-module on the client.
21
CLIENT/SERVER ARCHITECTURE
The UI module will utilize the output devices to communicate with the
user.
This partition thus allows for effective balancing of loads. Clients perform
generally less resource intensive duties, whilst servers execute the more
resource intensive processes. This arrangement allows for the best properties
of both the client and the server respectively to be exploited in order to obtain
the most efficient application.
}
Storage module
SQL-based interface
}
Application logic sub-module
Third party
programming
Presentation logic sub-module
tools
UI module UI module
Terminal emulation Not utilized -- character-
software based terminal
CLIENT SERVER
PC Workstation Mainframe
22
CLIENT/SERVER ARCHITECTURE
23
CLIENT/SERVER ARCHITECTURE
The interface is presented using the windowing capabilities of, for example,
Microsoft Windows. This situation is depicted in Figure 3-7.
The logic partition represents the most popular approach for installing
ORACLE. The ORACLE database engine and storage will reside on the
server. The user interface module is represented by the Windows capabilities.
The presentation logic sub-module can be developed using third party
products on the client workstation. The application logic sub-module is
represented on both the client and the server. On the server this could be
done using the PL/SQL language of ORACLE developing triggers and stored
procedures [ORA92]. Another possibility is to develop separate server
programs which can act on special requests, using a language, e.g. C. In a
UNIX environment this could, for example, be implemented as deamons, i.e.
processes that are always running in the background.
Storage module
Personal ORACLE ™
UI module
Terminal emulation
software
CLIENT SERVER
PC Workstation LAN Server (e.g. Novell server)
24
CLIENT/SERVER ARCHITECTURE
3.6 Conclusion
This chapter presented three different client/server partitions for which the
security measures that need to be implemented differ depending on the
particular partition implemented and the required security features.
The next chapter will develop a framework based on the security attributes
(chapter 2) and the client/server partitions (chapter 3) to be used when
securing a client/server environment.
Storage module
Personal ORACLE ™
UI module
Terminal emulation
software
CLIENT SERVER
PC Workstation UNIX server
25
THE EMPTY FRAMEWORK
4.
4 THE EMPTY FRAMEWORK
The questions “How can it be decided which security techniques are relevant
when only some of these attributes require protection?“ and “What influence
does the choice of partition have on the security techniques that need to be
implemented?” now arise. This chapter suggests a strategy for generating a
framework that can be used to answer both the aforementioned questions.
The security techniques required may depend on the attributes that need
protection as well as on the client/server partition implemented. The possible
influence of the two aforementioned factors on the security techniques
selected suggests that a two-dimensional matrix could be used to map the
different security techniques.
Figure 4-1 presents the empty framework. The X-axis contains the six
attributes of secure information: integrity, authenticity, confidentiality,
availability, possession and utility. The Y-axis contains three client/server
partitions: the UI partition, logic partition and storage partition. In addition each
of these partitions is divided into a client and server part.
The highlighted entry “A” in Figure 4-1, therefore, presents the standards and
techniques applicable to the client in a logic partition in order to preserve
integrity of the information. Likewise the entry “B” presents the standards and
techniques applicable to the server in a storage partition in order to preserve
the availability of the information.
26
THE EMPTY FRAMEWORK
Server Client
UI
partition
A
Server Client
Logic
partition
Server Client
Storage
partition
27
EVALUATION CRITERIA AND THE CLIENT/SERVER ENVIRONMENT
5.
5 EVALUATION CRITERIA AND THE
CLIENT/SERVER ENVIRONMENT
5.1 TCSEC
Each class is identified by a set of criteria that addresses the security policy,
accountability, assurance and documentation [DODS85].
A distinction is made between the rating of products and the rating of installed
systems. This is because specific systems, particularly when networked, may
have certain vulnerabilities in spite of the evaluated ratings of the individual
components of such a system.
28
EVALUATION CRITERIA AND THE CLIENT/SERVER ENVIRONMENT
The most important aspect of the TCSEC with respect to the client/server
environment is the differentiation between rating products and rating systems.
In the client/server environment this is particularly useful as the installed
system frequently consists of multi-vendor, multi-product installations.
The TCSEC can be used very successfully for evaluating certain components
of the client/server environment. The TCSEC is particularly useful and strong
in the evaluation of database security and operating systems. As pointed out
in [CAEL92] the evaluation process is complex and very time consuming. The
evaluation of a single component, e.g. the operating system, is a large task.
The complexity of this task increases as the number of components
increases. This is due to the complexity of the interaction between the
different components. The TCSEC therefore seems a rather clumsy way of
evaluating a complete system. [CAEL92] also points out that a commercial
developer can at best perform an incomplete evaluation. This is mostly due to
the fact that the developer needs a certain element of trust in the vendor, as it
needs to be assumed that certain steps, for example design and
development, have been fulfilled in the “proper secure way”.
29
EVALUATION CRITERIA AND THE CLIENT/SERVER ENVIRONMENT
5.2 ITSEC
A basic rating would indicate that the TOE provides protection against
the random accidental subversion, although knowledgeable attackers
may defeat it.
30
EVALUATION CRITERIA AND THE CLIENT/SERVER ENVIRONMENT
A high rating would indicate that the TOE can only be defeated by
attackers possessing a high level of expertise, opportunity and
resources. A successful attack is being judged beyond normal
practicality.
31
EVALUATION CRITERIA AND THE CLIENT/SERVER ENVIRONMENT
HP-UX is a popular UNIX operating system for the server component in the
client/server environment. The HP-UX operating system, version 6, has been
evaluated against ITSEC as having a functionality class F2, an evaluation
level for correctness of E2 and a minimum strength rating of basic [CAEL92].
This would indicate that HP-UX, version 6 allows for individual accountability
through finely grained access control and audit trails; that it has been
methodically tested and that it should provide protection against accidental
subversion, but could be defeated by knowledgeable attackers [CAEL92].
For version 7 of HP-UX [CAEL92] proposes a basic strength rating of high. This
rating is conditional and can effectively be negated on a sliding scale relative
to the competency of the system administrator. This would indicate that the
security kernel can only be defeated by attackers with a high level of
expertise, opportunity and resources. These conditions seem to be beyond
normal practicality.
Development on the CC started in late 1993 and the first public “preliminary
draft” was published in late 1994. The development of the CC is a joint effort
between France, Germany, the United Kingdom, the Netherlands, the USA
and Canada in order to align the existing and emerging criteria: ITSEC
(Europe), USA New federal criteria (including TCSEC), CTCPEC (Canada)
and ISO SC27 WG3 security evaluation criteria [OVER95].
32
EVALUATION CRITERIA AND THE CLIENT/SERVER ENVIRONMENT
The main purpose of the CC is to produce a common set of criteria that will
ease the recognition of evaluation results between nations. The primary goal
of the CC is to remain compatible with the individual source criteria and to
provide sufficient flexibility to allow the choice of security functionality and
assurance levels that adequately represent the required security and business
needs [OVER95].
Protection Profile (PP): The PP defines the security needs in a general threat
environment. The PP defines security objectives and security requirements,
respectively describing why protection is necessary and what functionality is
needed to offer the required protection. A PP for security in client/server
environments can therefore be defined in terms of the threats that the
environment must be protected against (hostile outsiders, unavailable servers,
etc.) and the functional specifications for providing the protection (firewalls,
access control restrictions, recovery procedures, etc.).
Assurance levels: Seven assurance levels are defined, AL1 - AL7, being
graduated classes of security differing in an increasing degree of assurance.
AL0 is reserved for products that failed the evaluation.
33
EVALUATION CRITERIA AND THE CLIENT/SERVER ENVIRONMENT
The evaluation criteria are very general documents that instruct the reader
about the results but, unfortunately, do not specify how to obtain the desired
results. Following is a discussion on some of the criteria and how they are
interpreted in the light of the client/server environment and the proposed
framework (Figure 5-1 refers).
User identification
Several criteria that need to be met whilst evaluating a product using the
criteria have to do with the identification of users that need to use the system.
In addition the issue of proving the authenticity of the claimed identities comes
to play a part. This whole issue is discussed at length in paragraph 6.2.3 and
therefore does not receive attention in this discussion.
Access control
For greater security levels mandatory access control refers to the introduction
of security labels for all subjects and objects. A subject can only access an
object with a security label equal or less to its own security label. For
example, if a user (subject) has a security label of confidential then that user
can only access documents (objects) with a security label of open and
confidential. Objects with a security label of secret and top-secret are not
available to that user. The aforementioned example assumes that the security
34
EVALUATION CRITERIA AND THE CLIENT/SERVER ENVIRONMENT
The need for mandatory access control over all storage objects and all
subjects will strongly influence the confidentiality of information in terms of
reading the information. If it is considered that control is also exercised over
the writing of information it will also assist in maintaining integrity of the
information (assuming that the low level integrity controls in terms of
communication and storage are functioning properly) in that a user will not be
able to write information with a security label higher than his own. In the
client/server environment mandatory access control can be enforced on the
storage level. Although the information storage module may store the access
UI
partition
audit facilities security labels; trusted recovery off-site backups documentation
storage and techniques; trusted
memory object re- facility
Server
use management
Logic
partition
audit facilities security labels; trusted recovery off-site backups documentation
storage and techniques; trusted
memory object re- facility
Server
use management
Storage
partition
audit facilities security labels; trusted recovery off-site backups documentation
storage object re- techniques; trusted
use facility
Server
management
Identification and authentication are covered in the evaluation criteria and w ill be discussed in detail in paragraph 6.2.3
35
EVALUATION CRITERIA AND THE CLIENT/SERVER ENVIRONMENT
control list the interpretation will happen through the information logic sub-
module. In both the UI and logic partition the responsibility for mandatory
access control will therefore reside with the server. In the storage partition,
however, the information logic sub-module resides on the client and the
responsibility for mandatory access control will therefore reside with the client.
It should be emphasized that the implementation of a mandatory access
control policy strongly relies on the effective implementation of security labels,
i.e. all subjects and objects should be allocated security labels.
Object re-use
In the UI partition neither the logic module, nor the information storage module
resides on the client and therefore the client will play no role. However, in the
storage partition and in the logic partition objects will reside on the server and
on the client. Care should therefore be taken to ensure that objects are not
illegally (or accidentally) re-used, thereby disclosing confidential information. It
is therefore necessary that object re-use takes place in a synchronized way
between the client and the server.
Trusted recovery
36
EVALUATION CRITERIA AND THE CLIENT/SERVER ENVIRONMENT
For the logic partition the importance of the server remains high because the
information is still resident on the server and, therefore, without the server
none of the information will be available. The importance of recovery for the
client, however, increases considerably. Since the means of operating on the
data, i.e. the application logic sub-module, is split between the client and
server, it is vitally important to have a correctly configured client available in
order to utilize the data. Planning for recovery can therefore be more difficult
since it is not easy to keep redundant clients for all the different
configurations. Furthermore, to keep all the different configurations could be
very expensive. This is described by the term “configuration management”.
This term is also used in the TCSEC where it refers to the different versions of
the trusted computing base, not the overall configuration of the system.
The role of the client in the storage partition becomes even more important,
since the server is essentially only used as an information store and all
processing occurs on the client. As the custodian of the information the server
needs carefully planned, trusted recovery techniques. The importance, of both
trusted recovery for the clients and effective configuration management of the
client configurations, is even greater than in the logic partition.
Security management
The information contained on the server can only be of value if the facility
(server) is managed properly. The effective separation of the operator and
37
EVALUATION CRITERIA AND THE CLIENT/SERVER ENVIRONMENT
Presentation of information
The usefulness of the information, and more specifically the usefulness of the
security rating of the information, is strongly influenced by the presentation of
the information in human-readable format. It is therefore essential that the
client, which in all three partitions presents the information to the user, always
displays human-readable security labels for the displayed information.
Documentation
5.5 Conclusion
It is evident that the evaluation criteria, although not directly aimed at the
client/server environment, could provide a useful reference when secure
client/server systems are designed.
38
APPLICATION FRAMEWORKS
6
6. APPLICATION FRAMEWORKS
Whereas the security evaluation criteria are aimed at measuring the security
functionality of a system or product, application frameworks on the other hand
provide a frame of reference in the design and development of a secure
system by providing guidelines as to the security functionality and services
that should be present in a secure system. In other words, the evaluation
criteria stated what should be accomplished without saying how, but the
application frameworks provide a framework as to how certain security
features can be implemented.
39
APPLICATION FRAMEWORKS
SERVER
Remote applications
¤ Global Time service
{ The user sponsor will act as an agent between the user and the system
[PRES91]. The user sponsor resides on the client workstation. When the
user activates his workstation the user sponsor will be the first form of
intelligence that he encounters. The user sponsor will arrange for the
user to be authenticated by the authentication service, using the
authentication mechanism suitable for that user. The authentication
mechanism could, for example, be a password (in the simplest case),
smart card, biometrics or challenge-response token. The user can be
authenticated in a specific role, e.g. manager, clerk or supervisor.
40
APPLICATION FRAMEWORKS
} If a user selects a service, the user sponsor will invoke the “Initiating
Association Manager” (IAM) on the client to establish a connection to a
“Target Association Manager” (TAM) on the server which hosts the
application. The PAC and the details of the services selected are
passed on to the TAM by the IAM.
If access is permitted the TAM will map the privilege attributes in the
PAC to a form appropriate for the requested application. The TAM will
send these mapped attributes to the target application.
The user can now interact with the application in a normal way, with the
user sponsor transparently in the background.
41
APPLICATION FRAMEWORKS
The user sponsor, local applications and initiating association manager reside
on the client workstation. The ”security server”, as well as the remote
applications and a target association manager, reside on a server node.
42
APPLICATION FRAMEWORKS
In the following paragraph the security facilities within the ECMA security
framework and the influence thereof on the security framework are discussed.
43
APPLICATION FRAMEWORKS
Client
UI
partition
OSI level services security attribute control attribute recovery
server package; secure
association server;
inter-domain service;
Server
cryptographic service
Logic
partition
OSI level services security attribute control attribute recovery
server package; secure
association server;
inter-domain service;
Server
cryptographic service
Storage
partition service
OSI level services security attribute cryptographic service recovery
server
Server
44
APPLICATION FRAMEWORKS
through the use of the “client” row in the storage partition and the “server” row
in the UI and the logic partition.
45
APPLICATION FRAMEWORKS
When considering Figure 6-3 it can be noted that the DCE also provides for a
directory service, a time service and security services, each of which is briefly
discussed in the following paragraphs.
The directory service provides the DCE’s distributed applications with a place
to store and retrieve information concerning resources available in the
distributed computing environment. It makes it possible to contact people and
use resources anywhere in the network without knowing their physical
location.
Application
Directory Service
Security Time
X.500 CDS
Operating System
Network Transport
46
APPLICATION FRAMEWORKS
CLIENT SERVER
CDS server
DCE
server DTS server
software
Security server
OSF developed the DCE for, as the name suggests, open distributed
computing environments. The DCE can therefore be used with great success
in the client/server environment. Figure 6-4 shows the client and server
software components that are involved when DCE is implemented. The DCE
runtime library should be present on both the client and the server. This library
provides the RPC and DCE threading capabilities. The other client software
includes the clerks for the Cell Directory Service (CDS), for the Domain Time
Service (DTS) and for the Security Service. These clerks are responsible for
the interrogation of the CDS server, for the synchronization of the local clock
with the DTS server and for the communication with the security server.
47
APPLICATION FRAMEWORKS
The presence of the DCE runtime libraries on both the client and the server
ensure accessibility of the DCE functionality. This need is depicted in Figure
6-5 by placing a “DCE runtime” entry in both the “client” and “server” rows of
the logic and storage partition for the “availability” column.
UI
partition
DCE runtime
Server Client
Logic
partition
ACLs DCE runtime;
DFS
Storage
partition
DCE runtime;
DFS
Catered for by DCE through the use of Kerberos. Discussed in parraph 6.2.3
48
APPLICATION FRAMEWORKS
6-5 depicts this with an “ACLs” entry in the “confidentiality” column of the
“client” row of the storage partition.
6.2.3 Kerberos
49
APPLICATION FRAMEWORKS
Kerberos
Authentication
Server (KAS)
Ticket
Granting
| Server (TGS)
~
{ }
Client Server
C S
Assume that client C wishes to communicate with server S. At login the client,
C, request a ticket for the TGS from the KAS. Message { contains C’s
identity, the name of the TGS and a timestamp.
{ C, TGS, T1
The KAS generates a session key, KC,TGS, later to be used between C and
TGS. It also generates a ticket containing this session key, a timestamp, the
lifetime of the ticket and the client’s name. This ticket is encrypted using a pre-
arranged key that it shares with the TGS and it is sent to C in message |.
The client, C, stores this encrypted ticket and calculates KC,TGS using its secret
key KC,KAS. Hereafter C requests a ticket for communication with S from the
50
APPLICATION FRAMEWORKS
TGS. Message } contains C’s name and a timestamp, encrypted with KC,TGS
as well as the encrypted ticket and the identification of S.
} {C,T3,WC}KC,TGS, S, {TicketC,TGS}KKAS,TGS
The TGS decrypts the ticket using KTGS,KAS and validates the timestamp
against the local clock. Thereafter it uses KC,TGS to decrypt the request. Upon
success a random session key, KC,S, is generated for use between C and S at
a later stage. The session key is encrypted using KTGS,C. Message ~ consists
of this encrypted random session key and a ticket containing the session key
and the timestamp and lifetime encrypted using KS,KAS, the shared key
between S and KAS.
TicketC,S = {KC,S,C,T4,L}
C stores the encrypted ticket and decrypts the new session key.
The server, S, firstly decrypts the ticket, verifying its timeliness, before
decrypting the rest of the message. Upon successful verification and
decryption C is considered authentic by S.
Server S replies in message with T5+1 encrypted with the session key KC,S.
(6) {T5+1}KC,S
C decrypts the message and compares it with his own copy of T5. Upon
successful verfication S is considered authentic by C.
51
APPLICATION FRAMEWORKS
52
APPLICATION FRAMEWORKS
In the UI partition, however, the amount of logic required would indicate that
much more than just the presentation of the user interface is required from the
client. From the above it is evident that the Kerberos authentication scheme
does not suit the UI partition. No entries in the UI partition row is therefore
made in Figure 6-6.
UI
partition
Server
Logic
partition
Kerberos server cryptographic trusted third
software; KAS, support party
Server
TGS
Storage
partition
Kerberos server cryptographic trusted third
software; KAS, support party
Server
TGS
53
APPLICATION FRAMEWORKS
authenticated. The cells formed by the “server” rows of the logic and storage
partitions and the “authenticity” column are appropriately labeled with
“Kerberos server software”. The need for cryptographic support to ensure
confidentiality of exchanged information is shown by a “cryptography support”
label in the cells in the “confidentiality” column representing the server in the
logic and storage partitions.
The need for a trusted third party, in the form of a KAS and TGS, exists
whenever Kerberos is implemented. Since this is a specialized service
provided for authentication it is indicated in the “authenticity” column in the
cells representing the server requirements for all three partitions. The KAS
and TGS could be implemented as separate machines, as one machine
different from the server, or as part of the server. Without the user
authenticating no information will be made available. The presence of a
trusted third party is therefore not only necessary for authentication, but also
for ensuring information availability. Since the trusted third party can be seen
as a specialized server this argument is reflected in the security framework by
the entry “trusted third party” in the “server” rows of both the “logic partition”
and “storage partition” columns.
6.3 Conclusion
This chapter presented ECMA and OSF DCE as two application frameworks
that can contribute significantly towards the identification of security
functionality required to secure the client/server environment.
The following chapter will address the contribution that current research on
World Wide Web security can make towards the security framework.
54
THE WORLD WIDE WEB
7.
7 THE WORLD WIDE WEB
The Internet, which includes the World Wide Web (WWW), is the fastest
growing communication medium in the world. Some of the most important
issues and developments on the Internet, therefore, warrant closer inspection.
Originally the WWW was created for scientific and research purposes, but
soon non-academic organizations world-wide, ranging from flower shops to
government institutions, were publishing WWW pages on the Internet.
Since its creation in 1992 [MAGI95], the amount of Internet traffic used by the
WWW, has increased from approximately 72 megabytes to over 200 000
megabytes in one year. By November 1994, WWW traffic accounted for more
than 3 million megabytes. WWW servers have also grown from 50 in January
1993 to over 1500 in June 1994 [MAGI95]. Businesses have realized that the
WWW is a very viable communication medium for various business needs,
e.g. displaying product information, making bookings or even purchasing
products. Information, furthermore, is available 24 hours a day, 365 days a
year. Any company that is proactive and gearing up for the 21st century must
consider using the WWW, either to display product or company information or
for commerce. Although other, more traditional means of communication, e.g.
television, is by no means obsolete yet it can be seen that the normal
broadcast communication environment has changed to an environment of
information on demand. The differences between the traditional broadcast
media and the WWW are listed in Table 7-1 [VISS96].
55
THE WORLD WIDE WEB
user [ORFA95]. This allows for masquerading as a server. However, due to the
nature of the information content (as well as the costs involved) the possibility
of a masquerading threat is considerably greater in the client/server
environment. Note however that the possibility of tracing such a
masquerading server is easier in traditional broadcasting than in interactive
broadcasting (see the fixed/variable identity in Table 7-1).
Table 7-1: Differences between traditional broadcast systems and the WWW
56
THE WORLD WIDE WEB
WWW servers are designed for public usage and this open-endedness is the
reason why World Wide Web security has become an issue. Two main
security issues are relevant: (1) how to transmit information over the Internet
in a secure fashion, and (2) how to protect the WWW servers and clients from
unwanted access. The next paragraph will discuss the problems that can be
encountered if the environment is not properly secured.
{ |
User }
Client Server
Storage
C S
~
appropriate server.
} The request from the browser is accepted and processed by the server
by validating the request.
The server retrieves any applicable data from the relevant storage
area.
57
THE WORLD WIDE WEB
The server sends the requested media or text file to the browser to be
interpreted.
The user views either the rendered WWW page by means of the
browser or the external media by means of a viewer.
Certain security issues in this process should be considered. The issues will
be discussed under two headings: Server security issues and Client security
issues.
Problems that influence the server security include the server operating
system environment, the server process, Server Side Includes (SSIs) and
Common Gateway Interface (CGI) scripts. These potential security
vulnerabilities are briefly discussed below.
58
THE WORLD WIDE WEB
The server operating system may include, e.g. the ability to change the
effective root directory of the file system. The UNIX operating system
implements this as the chroot() command, restricting the web-server view of
the file system to a specific sub-tree [HPUX91].
• Program defensively.
• Use wrapper programs to launch the scripts after arranging for a more
secure environment. Wrapper programs do not generate any response to
59
THE WORLD WIDE WEB
a request, but only arrange for another program to handle the request and
generate a response.
• Arrange barriers between the web-server and the resources that need
protection. These barriers are known as firewalls and will be discussed in
more detail.
Firewalls
60
THE WORLD WIDE WEB
The WWW client can launch applications automatically, provided that the
application is available to the client. This allows the client to provide, e.g. a
document to a user in an immediately useful format. At the same time it
introduces a new vulnerability to the WWW environment. Several applications
integrate a macro language into their environment in order to allow for
automation of the tasks performed by them. However, these macro languages
proof to be very powerful. For example, it could allow for the execution of
operating system commands such as the delete file commands. This would
allow a user to publish a file on a server claiming to be something of general
interest. On viewing the file the client will launch the application and in doing
so execute a command to delete all files on the local storage. The user will
only realize this after he has lost all his data.
Java
Since Java code is downloaded to the client, a Java program can contain
code that can potentially harm the client. Java and its security features and
problems are discussed in paragraph 7.2.
61
THE WORLD WIDE WEB
The SET protocol is based on the theory of public key certification. This is
based on the ability to decrypt messages signed by a public key only by
possession of the corresponding private key. The protocol furthermore relies
on the existence of a trusted third party referred to as the certificate
management center responsible for the publishing of the public keys.
The applets are the same for all operating systems, only the interpreter will
change. This machine independence is a major advantage as it allows
software developers to write applications without considering the type of
machine that the applications will run on. Also, software developers do not
have to be concerned about end users installing programs or upgrading the
systems, as this could be done automatically from anywhere in the world
[SCOT96].
62
THE WORLD WIDE WEB
Java has built-in security mechanisms that act at four different levels of the
system architecture [LEMA96]. These security mechanisms are:
(7.3.1.1) The language itself is designed to be safe and its compiler ensures
that the source code does not violate its safety rules.
(7.3.1.2) All bytecodes are screened by Java’s runtime engine to ensure that
an altered compiler does not violate the safety rules.
(7.3.1.3) The class loader verifies that classes do not violate name space or
access requirements.
(7.3.1.4) A final layer relies on security and integrity guarantees from the
previous three layers, using API-specific restrictions to prevent applets from
performing any destructive functions.
63
THE WORLD WIDE WEB
The verifier checks that the applet conforms to the Java language specifications
and that there are no violations of the Java language rules or name space
restrictions. The verifier also checks for common violations of memory
management, like stack overflows or underflows. Furthermore, it is checked that
methods are called with appropriate arguments of the appropriate type, i.e. that
no illegal type casts, which could allow a hostile applet to corrupt part of the
security mechanism or to replace part of the system with its own code, are done
[FRIT96].
The verifier is crucial for the security of Java applets, as it only allows bytecodes
that passed the security test through.
64
THE WORLD WIDE WEB
The class loader also ensures that classes cannot call other classes, unless
methods are explicitly declared public in classes. This implies that classes from
any other origin than your local computer cannot even view the file system I/O
methods, unless your system allows them to do it. This also implies that no
applets can access another applets’ methods or variables without the user
applet’s permission.
Although the security mechanisms have made Java secure for the server and
in part for the client, Java is not without other security problems. For example,
Java applets create windows, but this same feature can result in locking or
crashing the Java-enabled browser by opening too many windows [LADU96].
Other problems that may be encountered include making loud noises,
refusing to terminate, shutting down other applets and forging e-mail. Java
applets are programs and need to use the host computer’s resources to
execute. This property makes them untrustworthy programs, since users do
not want to download a small program that could wipe out their hard disk or
send private data over the network.
65
THE WORLD WIDE WEB
These applets are called hostile applets. A hostile applet is any applet that,
when downloaded, attempts to monopolize the system or exploit the system’s
resources in an inappropriate manner. A hostile applet thus is an applet which
performs, or causes you to perform, an action which you would not otherwise
care to do [LADU96]. A large variety of hostile applets exist and it is a very
difficult task to build effective defenses against all of these applets.
66
THE WORLD WIDE WEB
In the typical Java environment the client does not store the application, but it
is downloaded whenever accessed. The Java interpreter, however, resides on
the client, putting a distinct logic partition flavor to the environment.
UI
partition
firewalls
Server
firewalls no Java, no
automatic
application
Client
Logic
partition launches
firewalls; limit
execution
Server
Storage
partition launches
firewalls; limit
execution
Server
67
THE WORLD WIDE WEB
server. This resembles the storage partition since the server only acts as a
storage area. The software can be seen as part of the operating environment
rather than a software application.
At this stage operations on the Internet do not take the form of the UI partition.
Leaving the UI partition “client” row empty in the security framework (Figure 7-
2) indicates this. However, issues pertaining to servers in the environment,
even if not web-servers, will be entered.
Firewalls protect servers from unauthorized access, whilst also protecting the
client identity in the case of a proxy firewall. This is indicated by a “firewall”
entry in the “confidentiality” column for the “logic partition” and “storage
partition” rows. Firewalls, however, protect all servers including the non web-
servers and therefore a “firewall” entry is also included in the “confidentiality”
column for the “server” row of the UI partition.
As pointed out all processes providing web services should be run with
minimum rights. This is indicated in the “server” rows of the logic and storage
partition in the “confidentiality” column by an entry labelled “limit execution
rights”. In the same cells the entry “limit root environment” indicates the need
to change the perceived view of the superuser to the absolute minimum.
68
THE WORLD WIDE WEB
7.5 Conclusion
The next chapter will present some other issues that could contribute to the
security framework. It will present a consolidated security framework,
comprising of the entries in the individual “matrixes”.
69
THE CONSOLIDATED FRAMEWORK
8.
8 THE CONSOLIDATED FRAMEWORK
This chapter will evaluate the role of user interface design in securing a
system. Furthermore it will present some other issues, such as checksums,
which could not be positioned otherwise and position them in the framework.
Finally the chapter will complete the security framework by consolidating all of
the matrixes presented.
This section provides proof that the design of the user interface can indeed
contribute to the security of the system.
If certain options in the application are not available to a user two options
exist: display the option but disallow access or don’t display the option at all. If
the option is not displayed then a user may not be tempted to attempt
unauthorized access to them. However, it is important to always justify the
decision. For example, because of complexity in the system the cost incurred
by additional development and the additional training of users and writing of
manuals may not be justified by the value of the information protected.
Standardization through the continuous display of all possible options and the
disablement of certain of the options will flatten the learning curve of users
and result in training being easier and cheaper, but it may be detrimental to
the security of the system.
The user interface reflects the state of the system. It will therefore be
responsible for requesting password information from the user. It is important
that the user interface will not display any password information in clear text.
This will prevent accidental disclosure of passwords to bystanders.
70
THE CONSOLIDATED FRAMEWORK
Aforementioned examples show that the user interface, which is often largely
ignored, can indeed play a role in securing a system.
As is pointed out in the previous paragraph certain design issues will influence
the overall security of the system to a large extent.
UI
partition
re-initialization presentation
of interface formats
elements
Server
Logic presentation
partition formats
Server
Storage presentation
partition formats
Server
71
THE CONSOLIDATED FRAMEWORK
before usage and de-initialized after usage. This is indicated in Figure 8-1 in
the “confidentiality” column by the label “re-initialization of interface elements”.
In the logic and storage partitions the decision for the initialization of visual
information objects lies with the client (presentation logic sub-module) and the
entry is therefore in the “client” rows. In the UI partition, however, the
presentation logic sub-module resides on the server, thereby placing control
over the visual interface objects with the server. This would, for example,
point to the initialization of list boxes in order to ensure that the contents of a
list box is always in line with the user’s security profile.
A bad user interface can render a functional system useless. One such issue
is consistency, i.e. standardization as far as the design of the interface is
concerned. The utility value of information can be greatly enhanced by the
correct decision on the presentation format to use. The security framework
represents this information by the entries “user interface design” and
“standardization of interface” in the “client” row of the “utility” column for all
three partitions. The entry “presentation formats” in the “server” row, “utility”
column for the UI partition indicates that those decisions lie with the server. In
the logic and storage partition the entry “presentation formats” is in the “utility”
column and the “client” rows, indicating that the client makes presentation
decisions.
Certain issues could not be addressed using the chapter framework. It is the
purpose of these paragraphs to briefly position certain other issues in terms of
the security framework.
72
THE CONSOLIDATED FRAMEWORK
software and are therefore reflected in the security framework in the “integrity”
column for all three partitions’ “client” and “server” rows.
The electronic signature allows us to proof the integrity of the message due to
the one-way nature of the hash function. It also proofs the origin of the data
(authenticity) as only the public key that pairs with the private key of the
signee could successfully yield the result. The signee is the only one in
possession of his private key.
Due to the complex processing involved the UI partition does not lend itself to
the implementation of electronic signatures for communication purposes. The
entry “electronic signatures” therefore only appears in the “server” row of the
UI partition for the “authenticity” column. For the “logic partition” and “storage
partition” rows the entry “electronic signatures” appear in both the “client” and
“server” rows for the “integrity” and “authenticity” column.
The matrixes that were presented throughout this chapter can now be
consolidated to form the complete framework (Figure 8-2). No explanation as
to the reason why any entry is placed in a specific position will be provided in
this section since it has already been done in the relevant section.
73
THE CONSOLIDATED FRAMEWORK
In Figure 8-2 the terms “control attribute package” and “ACLs” are combined
by using the entry “access control structures”. The motivation behind this
consolidation is that both the control attribute package and ACL are structures
that controls access to objects.
The next chapter will illustrate how the framework can be utilized to assist in
the securing of systems in the client/server environment by applying it to an
electronic document management system.
74
THE CONSOLIDATED FRAMEWORK
Client
MACs, hash functions, property rights; trade interface deign;
UI partition checksums and EDC secrets consistent interface
audit facilities;OSI level security attribute server;
security labels; storage trusted recovery copyright; intellectual documentation;
services; MACs, hash electronic signatures and memory object re- techniques; trusted property rights; trade presentation formats
functions, checksums use; control attribute facility management secrets; off-site backups
and EDC package; secure
Server
association server; inter-
domain service;
cryptographic service;
firew alls; access control
structures
OSI level services; Kerberos client softw are; security labels; memory configuration copyright; intellectual documentation; user
electronic signatures; electronic signatures object re-use; certificate; management; recovery property rights; trade interface deign;
Client MACs, hash functions, cryptographic service; planning; DCE runtime; no secrets consistent interface;
checksums and EDC control attribute package; Java, no automatic presentation formats
firew alls; access control application launches
Logic partition structures
audit facilities; OSI level security attribute server; security labels; storage trusted recovery copyright; intellectual documentation
services; electronic Kerberos server and memory object re- techniques; trusted property rights; trade
signatures; MACs, hash softw are; KAS, TGS; use;control attribute facility management; DCE secrets off-site backups
functions, checksums directory server; package; secure runtime; DFS
and EDC electronic signatures association server; inter-
Server
domain service;
cryptographic service;
ACLs; firew alls; limit
execution rights; limit root
environment; access
control structures
OSI level Kerberos client softw are; security labels; memory configuration copyright; intellectual documentation; user
services;electronic electronic signatures object re-use; certificate; management; recovery property rights; trade interface design;
signatures; MACs, hash control attribute package; planning; DCE runtime; no secrets consistent interface;
functions, checksums secure association Java, no automatic presentation formats
Client
signatures; MACs, hash softw are; KAS, TGS; cryptographic service; facility management; DCE secrets off-site backups
functions, checksums directory server; firew alls; limit execution runtime; DFS
and EDC electronic signatures rights; limit root
environment
75
AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM AS CASE STUDY
9.
9 AN ELECTRONIC DOCUMENT
MANAGEMENT SYSTEM AS CASE
STUDY
The first section defines certain terminology that is crucial throughout the rest
of the chapter. Some security problems that are experienced in this
environment are then discussed. This chapter is concluded by showing how
the security framework can be used to solve some of these problems.
9.1 Terminology
Electronic
The term electronic in this concept indicates two things. Firstly it indicates that
the management will be done with the aid of computers, and secondly it
indicates that the documents (or at least some of them) will be stored on
electronic media.
Document
76
AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM AS CASE STUDY
Management
The term management indicates that control is exercised over the document
throughout its lifecycle. In order to sensibly manage any document,
information about the history of that document is needed.
Company overview
Proposal
Index information
Discipline Electrical
Quotation
+
etc.
Sample
contract
Image information
Electronic
file
/shared area/compovw.doc
System
1
Definition of image on the next page.
77
AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM AS CASE STUDY
Revision control
The concept of revision control has a legal origin. In order to be able to prove
the legality of a decision or statement in a court of law it is necessary to be
able to exactly track the state of any supporting documentation at the date of
the alleged irregularity. This process of keeping a document in all its released
states is being referred to as revision control. The index information of a
document will reflect these changes in the revision of a document.
Image
Red-lining
The term red-lining originates from the traditional drawing office. Changes to a
drawing were done in red ink, thus the term red-lining. This term overflowed
into the commercial documentation arena and currently refers to the making
of notes (comments, annotations) on a document with the intent of creating a
revision (new version) of that document.
78
AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM AS CASE STUDY
79
AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM AS CASE STUDY
LAN / WAN
Print server
printer
Directory
server
Workstation
Image
manipulation
server
Database
server
Scan station
scanner
UI partition
electronic signatures security labels; storage trusted recovery
and memory object re- techniques; trusted
Server
softw are; KAS, TGS; and memory object re- techniques; trusted
directory server; use; access control facility management; DCE
electronic signatures structures runtime; DFS
electronic signatures Kerberos client softw are; security labels; memory configuration
electronic signatures object re-use; secure management; recovery
Client
80
AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM AS CASE STUDY
Security labels are needed to classify the documents and the users. These
labels will have a hierarchical structure. For example, if the labels top-secret,
secret, confidential and open have been identified, then the hierarchy would
indicate that user with a security label top-secret can also access documents
with security labels top-secret, secret, confidential and open. A user with a
security label of confidential can access documents with a security label of
confidential and open. This is in line with the mandatory access control policy
presented by the TCSEC [DODS85].
The access control structures could furthermore provide for the type of access
to be controlled. Type of access refers to the operations that can be
81
AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM AS CASE STUDY
performed on the document, e.g. view, create new, delete, redline or revise a
document.
82
AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM AS CASE STUDY
correct document at all. The question can be broken down into essentially two
issues: integrity of the document and authenticity of the information.
The security framework (Figure 9-3 refers) again provides us with certain
solutions. When evaluating the integrity and authenticity columns of the
framework it can be seen that electronic signatures could offer a solution to
both the issues.
The public key of a user can decipher the signature if and only if it was signed
by using the private key of that user. The use of an electronic signature can
therefore also proof that the document originated from its claimed origin.
Security labels
83
AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM AS CASE STUDY
Changing of the security label therefore does not solve the problem, but rather
introduces more problems.
Provision for this situation could be made in the access control structures by
allowing changes to the access control structures. It is foreseen that
delegation of authority will be a specific right in the access control structure
and that a user will need that and at least the rights that he is trying to
propagate. Because of the very specific nature of the access control
structures this may be done for specific documents.
84
AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM AS CASE STUDY
A possible way of solving this problem would be to use viewers for the native
application files and only access a file through the editor if the user specifically
possesses edit rights. This situation would require good configuration
management on the clients. According to Figure 9-3 is evident that
configuration management of the clients could influence availability of
information in the logic and storage partitions. It is furthermore obvious that if
a specific viewer is not available on a client workstation that availability of the
information to view-only users using that workstation is severely hampered.
85
AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM AS CASE STUDY
Using a file system such as the one provided by OSF DCE, called DFS can
solve the availability issue. DFS ensures availability, but also relies on the
authentication mechanisms provided by DCE.
It can therefore be seen that the solution provided by OSF DCE DFS attends
to both the availability and confidentiality requirements of this problem. Again
it should be noted that this solution is not possible within the UI partition. This
is a result of the logic involved with the DCE runtime that has to be present on
the client.
9.4 Conclusion
86
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
The biggest problem today with most security efforts is the lack of a corporate
information security policy [WOOD94]. For a successful security implementation
in the client/server environment it is vital that management supports a
direction giving set of policies. Policies are the primary building blocks for any
security effort.
87
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
This leads to the next question: What should managers be concerned about?
88
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
the network, which in turn is closely linked to the growth within the
organization as such. This again emphasizes the importance of developing a
corporate information security policy that can govern the extension of the
system along certain lines.
The following section will attempt to answer the first question by discussing
some of the attributes of a client/server environment that distinguishes it from
a centralized environment.
89
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
From the foregoing it is evident that the needs of the client/server environment
vastly differ from that of the centralized environment. In the following section it
is considered what the typical components of an information security policy for
the client/server environment should be.
90
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
The policy will also be influenced by the attributes for secure information that
need protection. For example, if confidentiality is not much of an issue then
implementing extensive measures to ensure confidentiality of information will
not be necessary. The security framework presented in Chapter 8 can serve
as a guideline to determine information security requirements that are
applicable to secure a specific environment.
A “network security policy” can state general issues in terms of security that
pertain to the whole networked environment. It sets out responsibilities and
general guidelines for security in the organization.
As a result of the variety of resources that can form part of the client/server
91
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
The network security policy should clearly state general roles, responsibilities
and functions [SYMO94]. The following statements reflect the aforementioned
characteristics:
The Information Security Department owns the information security policy and
no deviation from it is allowed without proper investigation by and written
permission from the Information Security Department.
92
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
It should also include certain rules that have to be applied throughout the
system. This could, for example, include how access to the network will be
negotiated.
The network policy can also stipulate how the network should be partitioned in
different security domains. This would specify the grouping of clients and
servers in computing realms.
93
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
The network security policy should also address the issue of encryption
across the network. Firstly it should state whether encryption will be used at
all. If encryption is used it should state whether a symmetric key scheme or a
public key scheme is going to be used. It will furthermore state how the
distribution of keys is going to be managed.
The “server security policy” will state the conditions that have to be met before
a server can participate in the client/server environment of the organization.
Information in this policy can range from standards that were set on the
acquisition of server machines through to policy statements on the
development of software on the server.
package; secure
association server; inter-
domain service;
cryptographic service;
UI partition firew alls
audit facilities; electronic security attribute server; security labels; storage trusted recovery copyright; intellectual documentation
signatures; MACs; hash Kerberos server and memory object re- techniques; trusted property rights; trade
functions softw are; KAS, TGS; use;control attribute facility management; DCE secrets; off-site backups
directory server package; secure runtime; DFS
Server
functions softw are; KAS, TGS; cryptographic service; facility management; DCE secrets; off-site backups
directory server firew alls; limit execution runtime; DFS
Storage rights; limit root
partition environment
94
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
Figure 10-2 can be used to determine issues that should be addressed by the
server security policy. Firstly the attributes that need protection have to be
identified. It may be determined that integrity of information is important, but
that confidentiality may not really be an issue. Thereafter the client/server
partition that is implemented should be established, i.e. it should be
determined whether a logic, storage or UI partition is implemented. Finally the
entries in the cell formed by the intersection can be read off and a policy
statement built around it.
The rest of the discussion is structured around the security attributes that are
protected and provides example statements that can be included as part of
the server security policy.
Integrity
Regardless of the partition implemented the integrity of all data stored on the
server must be ensured by the use of standard OSI level services, like
checksums.
Authenticity
For the purpose of supporting public key encryption schemes the Information
Security Department will make an enterprise-wide directory server available.
Generation of the private-public key combination is done off-line by the
Information Security Department.
95
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
Confidentiality
All network traffic entering or leaving the organization must traverse the
firewall of the organization.
All objects stored on the server have to have the necessary security labels
associated with them. The security labels should be in accordance with the
standard set by the Information Security Department.
All development done on the server should ensure that objects which are
accessed and stored are properly initialized and that any representation of the
objects are cleared from any form of temporary storage as soon as they
become not relevant to the processing tasks.
Access to servers from clients and servers outside the domain must be
facilitated by an inter-domain service. The inter-domain server will determine
the access rights that a user from outside the domain will be allocated by
translating the security attributes between the different domains.
Availability
Daily incremental backups of the server should be made. A full backup of the
server has to be made once a week.
Possession
96
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
Client
UI partition signatures property rights; trade secrets interface design; consistent
interface
OSI level services; electronic Kerberos client software security labels; memory configuration management; copyright; intellectual documentation; user
Client signatures object reuse; certificate; recovery planning; DCE property rights; trade secrets interface design; consistent
cryptographic service; runtime; no Java, no interface; presentation
Logic partition control attribute package; automatic application formats
firewalls; access control launches
structures
OSI level services;electronic Kerberos client software security labels; memory configuration management; copyright; intellectual documentation; user
signatures object reuse; certificate; recovery planning; DCE property rights; trade secrets interface design; consistent
control attribute package; runtime; no Java, no interface; presentation
secure association service; automatic application formats
Client
Utility
The “client security policy” will govern the joining of client workstations to the
corporate client/server network. It should include technical specifications and
standards to be adhered to by client workstations. This includes specifications
such as the permitted operating systems and all specialized software that
should be able to run on the client.
97
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
Some examples are given according to the security attributes that are
protected.
Integrity
All client software should use standard OSI level techniques, like checksums,
to ensure the integrity of the communications taking place between client and
server.
When utilizing either the logic partition or the storage partition electronic
signatures should be used to sign sensitive information. This would allow for
verification of the integrity.
Authenticity
Confidentiality
When client software is developed for either the logic or storage partition the
client should retain any security labels and access control structures
pertaining to objects passed to it from the server.
Client software developed for the client in a logic partition or the storage
partition should retain objects for the shortest possible time. Any storage area
used for temporary access for objects should be properly re-initialized after
the objects have been used in order to prevent illegal object re-use.
98
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
company’s firewall.
Availability
It is specifically crucial for the logic and storage partitions to have a proper
configuration management system available in order to ensure that all
possible breakdowns can be catered for.
Should any client workstation utilize specialized software not normally used in
the organization the Information Technology Department should be provided
with a proper backup copy that can be installed should the client workstation
break down. The Information Technology Department should also be formally
notified of any specific hardware requirements of such specialized software.
Possession
All information retrieved via a client workstation is the property of the company
and is as such protected by the relevant legislation regarding copyright,
intellectual property rights and trade secrets. Thus no user is allowed to make
a copy of the information or to use the information except for explicit business
purposes.
Utility
For all client related issues proper documentation should be provided. This
documentation must be made available in an electronic form at allowing it to
be accessed from any client workstation.
The user interface design of any client software must be formally matched to
the usability factor of consistency.
For client software developed under the logic or storage partition the software
99
SECURITY POLICIES FOR THE CLIENT/SERVER ENVIRONMENT
10.6 Conclusion
100
CONCLUSION
11
11. CONCLUSION
Aforementioned activity presented proof that the needs of clients and servers
in the client/server environment differ according to the client/server partition
implemented. The presented security framework distinguishes between the UI
partition, the logic partition and the storage partition. It can therefore be used
as a tool to establish the security needs required by a specific client/server
environment.
101
CONCLUSION
This study also lead to the identification of specific areas for further research
which are discussed in the following paragraphs.
It is believed that this study, and any other studies that might result from this,
can assist in securing the rapid growing electronic environment.
102
BIBLIOGRAPHY
A BIBLIOGRAPHY
[CAEL92] Caelli, W.J., Rhodes, A.W. and Russell, N.C., “An Evaluation of
HP-UX (Unix) for Database Protection Using the European
ITSEC”, Computers and Security, Vol. 11, 1992, pp. 463 - 479
[DAVI89] Davies, D.W. & Price, W.L., “Security for Computer Networks”,
2nd Edition, John Wiley & Sons, 1989
[DEIT97] Deitel, H.M. & Deitel, P.J., “Java – How to program”, Prentice
Hall, 1997
103
BIBLIOGRAPHY
[DIXO96] Dixon, R., “Client/Server and Open Systems”, John Wiley &
Sons, 1996
104
BIBLIOGRAPHY
105
BIBLIOGRAPHY
106
BIBLIOGRAPHY
[SCOT96] Scotkin, J., “Business uses for Java”, Datamation, March 1996,
Vol. 42(5), pp. 40 – 42.
[STEI96] Stein, L.D., “The World Wide Web Security FAQ”, http://www-
genome.wi.mit.edu/WWW/faqs/www-security-faq.txt, 1996
[SOL96b] Von Solms, B., “Information Security – The Family Member Who
Came Home”, South African Computer Journal, Number 17,
September 1996
107
ARTICLE
B
12. ARTICLE
The article included has been submitted to, accepted by and presented at the
workshop of the International Federation of Information Processing’s
Workgroup 11.2 on Small Systems Security that took place in Copenhagen,
Denmark on the 13th May 1997. One of the areas of interest of the
aforementioned workgroup is client/server security.
108
Management considerations for securing a
distributed client/server infrastructure
Abstract
This paper is firstly aimed at defining the client/server environment, with specific reference
to partitioning a client/server platform. The term “partitioning” in a client/server environment
refers to the location of the user interface, the logic and the information storage modules on
either the client or the server, or on both. Typically, this could be a user interface and
application that run off a client and the database that stores the information that resides on the
server.
The relative importance of the specific partition chosen for the client/server environment
with respect to six attributes of secure information is discussed. Each of these attributes is
discussed, identifying the standards and/or techniques that are relevant to maintain secure
information in the client/server environment.
The partitioning directly impacts on the security of the system for the different attributes,
which, in turn, have a considerable impact when securing a distributed client/server
infrastructure.
Keywords
usage. What can be considered a server in one set of circumstances may well be deemed to be
a client in another set of circumstances.
Client/server applications can be partitioned in the same way as that in which non-
distributed applications are partitioned into three components (see Figure 1): (1) the user
interface, (2) the logic and (3) the information storage modules [HART95]. The user
interface module controls user interaction and the information storage module is responsible
for writing to and reading from a variety of media. The logic module is responsible for all the
processing and can as such, be divided into three sub-modules. The Information logic sub-
module accesses the information storage system and controls the distribution of data. The
Presentation logic sub-module is in control of how information will be displayed and it
evaluates the user input. The Application logic sub-module is responsible for the
computational-intensive tasks.
The said partitioning is important because of the following two reasons:
(1.1) The modules will be distributed among multiple nodes (clients and servers)
depending on the exact partition chosen for the specific client/server
implementation.
(1.2) The specific way of partitioning could severely impact on the security of the
system. For example, responsibility for the integrity of information in a
database could lie with either the server or the client, depending on the partition
chosen. The database management system (DBMS) could be responsible for
overseeing the integrity of the data that gets stored by it, thus placing the
responsibility at server level. Alternatively, the integrity rules could be
implemented on client-application level.
Storage partition
This partition represents a widely used client/server platform. Vendors develop products for
multiple platforms. Because the level of security differs between commercial databases,
certain issues, e.g. integrity checking, frequently get addressed by the application program.
The server, therefore, merely performs a storage function. All other functionality is shifted to
the client.
Identification of the user is done by the client. Authentication and authorization involve
both the client and the server. Access control for the application could be governed by the
client, whilst access to the database is governed by the server.
Any application submitting information to the database must check that the integrity of the
database is not compromised by any manipulation of the values. This, however, leaves the
preservation of the integrity of the database to “good faith”, as anybody that can gain access
to the database could, be it intentionally or unintentionally, compromise the integrity of the
data.
UI partition
Logic Module
SERVER
CLIENT
Logic partition
Logic Module
SERVER
CLIENT
Storage partition
Possession
Client/server
Availability
partitions
Integrity
Utility
UI partition S cS3 S S S cs
Logic partition S CS3 S cS cS C
Storage partition Cs CS3 cs CS CS C
C: Client highly significant S: Server highly significant
c: Client less significant s: Server less significant
3: Third party significant
1.2 Information security and client/server partitions.
Since the role of the client and the server hinges upon and varies according to the chosen
partition (refer Figure 2), it follows that the importance of the client and the server with
respect to the information security of the system will also depend on the exact
implementation.
Given the structure of the client/server partitions as defined in paragraph 1.1, a structure or
paradigm is required in terms of which the information security impact of the various
partitions could be studied. The following six attributes of secure information presented by
[PARK95] are considered: integrity, authenticity, confidentiality, availability, possession and
utility. Following, a discussion on the security impact of each of the client/server partitions
mapped onto the said security attributes. This discussion is formatted according to Table 1.
1.2.1 Integrity
The term “integrity” is defined as “the protection of the contents of information”, i.e. the
impact on the correctness, completeness and consistency of data. The integrity of the data is
threatened not only when information is being stored, but also when it is being transmitted.
Let us consider integrity at storage level. The modules involved in the storage of
information are the information storage module and the information logic sub-module. As
depicted in Figure 2, the location of the information logic sub-module differs from one
partition to the next. In the UI and the logic partitions both the information storage module
and the information logic sub-module are located on the server, with the result that the
responsibility will solely rest with the server. This set of circumstances is aptly labeled with a
capital “S” in the rows “UI partition” and “Logic partition” (Table 1).
Now consider the storage partition, where the information logic resides on the client, thus
shifting some of the responsibility for integrity to the client. From this, it follows that all
application systems will bear responsibility for the preservation of the integrity of a system,
even though, through this arrangement, the possibilities for integrity violations are thrown
wide open. The server will only be held responsible for correctly writing information to the
media. This is indicated in the “Storage partition” row of Table 1 by a capital “C” and a small
“s”.
Preserving the integrity of the data while it is being transmitted (or at least detecting
unwanted alterations) is an important issue. The integrity of data can be preserved thanks to a
variety of techniques ranging from the use of checksums and parity bits to cyclic redundancy
checks [DAVI84].
1.2.2 Authenticity
1.2.3 Confidentiality
“Confidentiality” refers to the “who has access to what” in a system and, therefore, includes
aspects such as authorization and/or access control. The confidentiality of information within
the client/server environment could be threatened in the following three different ways:
(a) The first threat could be encountered at the storage level of the data. If an intruder
were to gain access to the data files of the database on the server, he could possibly
obtain some information by analyzing those data files. Encrypting the data files
would, however, make this analysis more difficult and time-consuming. The server-
operating system should, therefore, provide the necessary access control restrictions
to the server.
(b) The data could be intercepted whilst being transmitted across the network. This could,
however, also be countered through the application of cryptographic techniques.
(c) The definition of security profiles for the users and the information could also pose a
confidentiality problem. Maintaining security profiles are a time-consuming,
resource-intensive operation. If not done with the necessary care, a user could
accidentally be given the incorrect rights, thus enabling him/her unlawfully to access
confidential information. This argument also extends to the classification of
information. If the information were wrongly classified, then users who should not be
able to access that information might indeed be allowed to do so. The maintenance of
the user profiles, as well as the maintenance of the classification of information,
requires resources that must be made available by management, which would, in turn,
have an effect on the security policy of the organization.
In the UI and logic partitions, the server-operating system will be responsible for the
protection of the data files, whilst the information logic sub-module will be responsible for
the interpretation of the access-control list (ACL), possibly introducing a filter on the queries.
The client, therefore, does not play a significant part in the confidentiality of the information,
as the major responsibility for this function rests with the server. Table 1 indicates this with a
capital “S” in the confidentiality column for rows “UI Partition” and “Logic partition”.
In the storage partition, the role of the server-operating system stays the same, even though
the information logic sub-module resides on the client and the responsibility for the
interpretation of the access-control lists, therefore, rests with the client, thus reducing the
server responsibility. The “Storage partition/Confidentiality” entry of Table 1 indicates this
with a small “s” and “c”.
1.2.4 Availability
The concept of “availability of information” refers to the fact that information will always be
available to authorized users. Availability of the information is, in turn, influenced by the
availability of the clients and the servers.
In the case of an unavailable server, the availability would influence the entire
environment, whereas an unavailable client would merely influence the availability at that
specific client. It could, therefore, be argued that although the unavailability of a subset of
clients does influence the availability of information, it does not cause a complete loss of
availability.
In the storage partition, the state of the data could be dependent on automated processes
being performed by the application logic sub-module. If this were the case, then the
necessary data might not be available if a client were not available. This argument could also
be extended to include a fully distributed environment, in terms of which an unavailable
client would implicate an unavailable server, as the client and the server could switch roles as
required. Such a fully distributed environment would indicate that either the logic partition or
the storage partition is implemented, as the UI partition does not allow for any processing on
the client.
The part the server plays in the availability of information is stressed in Table 1 by
indicating a capital “S” in the “Availability” column in Table 1 for all rows. Table 1 indicates
the relatively insignificant role of the client by altogether omitting an entry for it from the UI
partition row. In the Logic partition, the potential importance of the client (in a fully
distributed environment) is indicated by including a small “c” in the “Logic
partition/Availability” entry. In the storage partition, the client could play an important part
in generating data for the database and, in a fully distributed environment, that would even be
more likely. The “Storage Partition/Availability” entry in Table 1, therefore, includes a
capital “C”.
1.2.5 Possession
The phrase “information security attribute of possession” refers to the concept of having
information at one’s disposal. It is different from availability in that although information is
possessed by an user it might still not be available for utilization by that user. Losing
possession of such information would, therefore, indicate that the company does not have the
information at its disposal any more. This could happen if the information were physically
stolen -- in the client/server environment, therefore, if somebody were to steal the server or at
least the disks containing the data. This danger could be averted by ensuring that proper
physical server-access controls are implemented.
Another possibility for possession being lost is if the disks containing the data were
damaged (owing to a disk crash or a flood). A company could only recover from such
incident if proper backups of the information had been made and care had been taken as to its
storage. This would change the loss of possession to loss of availability in case of a flood.
The importance of the server is stressed in Table 1 by marking the “Possession” column for
all partitions with a capital “S”. In the UI partition, the client involvement is limited to
displaying the information and could, therefore, not play a significant part in protecting the
possession of information. The logic and storage partitions, however, make intensive use of
the information through the application logic sub-module and the presentation logic module
that are situated on the client. Loss of the client could, therefore, also indicate the possibility
of exclusive possession of the information being lost. As in the case of the argument being
advanced in paragraph 1.2.4 for the availability of data, the risk of complete loss of
possession when losing a client in a fully distributed environment is considerably greater.
The importance of the client in the Logic and Storage partitions is indicated in Table 1 with a
small “c” in the corresponding rows of the “Possession” column.
1.2.6 Utility
The utility value of the data is determined by how useful the data is, i.e. the extent to which it
conforms to the users’ requirements, which are, in turn, determined by the way in which the
data is presented to the user by the application. If this attribute is not protected in its own
right, the data, which could be sound and authentic, possessed by the legal owner and
available only to authorized parties, could be of as little value as when it does not possess any
of these attributes.
The presentation function is to be performed by the user interface and the presentation
logic. These modules, in the case of the Storage and Logic partitions, reside on the client. In
Table 1, the importance of the client is stressed through the use of a capital “C” in the
corresponding rows. The server is omitted from the “Logic partition” and the “Storage
partition” rows in Table 1 because it has no relevance in presenting the data to the user.
In the case of the UI partition, however, the presentation logic resides on the server. This
places the responsibility for the presentation on the server, thereby directly influencing the
utility value of the data. The burden on the client is relieved in that the client will only
display whatever the server returns and in that it will not make any decisions on the
presentation. The responsibility is, therefore, shared between the client and the server,
indicated by the small “s” and “c” in the “UI partition/Utility” entry in Table 1.
1.3 Information security services and mechanisms for the various
client/server partitions
In paragraph 1.1, various client/server partitions were defined. Paragraph 1.2 contained a
detail discussion of the information security issues obtaining to each of these partitions in
terms of the six attributes of secure information. The next step, will therefore be to define a
framework that could be used when securing a client/server environment. Table 2 (next page)
graphically represents the security services and mechanisms in the form of a matrix, with the
different partitions given as the rows and the security attributes as the columns. This matrix
could be used to determine what measures need to be implemented in a specific client/server
installation.
In order to use the matrix, the user would need to identify the partition to be implemented.
Furthermore, the required level of security needs to be decided, that is the security attributes
that need to be present. For example, if the information that is present in the environment
could be considered not sensitive (in other words, suitable for access by all users who have
access to the system), then the confidentiality issues with respect to the authorization are not
important.
In order to explain how Table 2 could be used, we will consider a few entries in it:
UI partition/Authenticity
In the UI partition, the client responsibility is limited to the display of information. This does
not imply that the client has no intelligence, however, but merely points to the fact that the
main decisions regarding the presentation of the user interface reside with the presentation
logic on the server. In order to allow for authentication techniques such as Kerberos to
function in this environment, the client should be able still to do encryption and decryption. If
Kerberos is employed as the authentication technique, then the client will capture the user-
ID, send it, together with a request for a ticket-granting ticket, to the authentication server
(AS) and receive a ticket back that is encrypted by the AS with the user password. The client
then prompts the user for a password and tries to decrypt the ticket, using the supplied
password as key. If successful, the client receives a session key from the AS, which is used in
subsequent messages in the protocol to encrypt sent messages.
At server level, we could distinguish three kinds of servers that need to be present (in the
Kerberos case), namely the authentication server, the ticket-granting server and the
application server. These services could be provided either by a single machine or they could
be distributed among three machines. The authenticity of information can be proven by
digitally signing the information before it is stored. The server can vouch for the authenticity
of the data, as it was encrypted using a private session key. In order to sign the information a
public-key encryption scheme is used. Data signed by A (encrypted with the private key of
A) can only be decrypted using the public key of A and, as such, advance proof of
authenticity.
Table 2 Information security services and mechanisms for the various client/server partitions
Client
decryption. made available
Integrity rules on Authentication protocol ACLs (id and/or role- Backup procedures; Physical security: access Presentation formats, e.g.
database or application involving third party. based). disaster recovery plans; control to disaster- graphs, charts and maps.
level. Kerberos AS and TGS. Encryption & decryption. RAID; automated resistant secure area.
Server
Hashing, error detection. Digital signatures. Firew alls. processes; redundant Backups stored off-site.
routing.
Hashing, error detection, Kerberos client softw are. Firew alls. Speedy replacement of Replication of databases. User interface design;
parity bits. Unw rapping of X.509 faulty equipment; Access control. standardization of
Logic certificates. redundant equipment Backups. interface (consistency);
partition
Client
made available presentation formats, e.g.
graphs, charts and maps.
Integrity rules on Kerberos authentication ACLs (id and/or role- Backup procedures; Physical security: access
database or application server and ticket-granting based). disaster recovery plans; control to disaster-
level. server. Encryption & decryption. RAID; automated resistant secure area.
Server
Hashing, error detection. Off-line generation of Firew alls. processes; redundant Backups stored off-site.
certificates by CA. routing.
Integrity rules in Kerberos client softw are. ACLs. speedy replacement of Replication of databases. User interface design;
application Unw rapping of X.509 Firew alls. faulty equipment; Access control. standardization of
Storage certificates. redundant equipment Backups. interface (consistency);
partition
Client
available presentation formats, e.g.
graphs, charts and maps.
Kerberos authentication Encryption of information. backup procedures; Physical security: access
server and ticket-granting Firew alls. disaster recovery plans; control to disaster-
server. RAID; redundant routing resistant secure area.
Server
Off-line generation of Backups stored off-site.
certificates by CA.
Logic partition/Integrity
Both the client and the server need mechanisms such as hashing, checksums and parity bits to
ensure that integrity problems are not introduced during transmission. Integrity of the data
when stored can be protected by defining the integrity rules as part of the database
(information logic sub-module). If this is not the case, the integrity rules can be implemented
as a special application logic sub-module which will reside on the server. Keeping the rules
on the server(s) and not at the client level, will reduce the possible points of attacks and
facilitate control.
Storage partition/Confidentiality
The server-operating system is responsible for protecting the data files. Encryption
techniques can be employed by the server to ensure that the data files cannot be read, even if
the access-control mechanisms of the server-operating system were bypassed. Information
and users need to be classified and accessed mapped in an ACL. The ACL may be stored in a
form of database (information-storage module), but is interpreted by the information logic
sub-module on the client.
The user also plays an important part in maintaining the confidentiality of the information.
Agreements between company management and the users must protect the company from
sensitive information being lost because of authorized users providing it to unauthorized
users.
Firewalls could be introduced between the company networks and other external networks
in order to ensure that unwanted communications do not take place. It can protect
confidentiality in two ways: firstly incoming traffic can only be allowed from certain places,
reducing the chances of unauthorized access to information. Secondly, “inside” users could
be limited only to communicate with certain “outside” addresses, thus reducing the chances
of users sharing sensitive information with outsiders.
1.4 Conclusion
In this article, proof is advanced that the client/server partition that is implemented does
influence the security requirements of an organization. These different security requirements
must be conformed to by implementing various security services and techniques, depending
on the level of security required. The security policy of an organization should, therefore,
clearly reflect these security requirements, with specific reference to the client/server
partition implemented and the security attributes that are protected by the various techniques.
The services and techniques referred to in the article are all relatively technical issues. It is
important to note, however, that the security policy should also provide for less technical
issues, such as agreements between the users in and the management of the organization.
Further work on Table 2 will prove invaluable in laying down security policies for a
distributed client/server environment.
2. REFERENCES
[COLE90] Cole, R. “A Model for Security in Distributed Systems”, Computers and
Security, Vol 9, 1990, pp. 319-330.
[COOP95] Cooper, F.J., et al., “Implementing Internet Security”, New Riders, 1995.
[DAVI89] Davies, D.W. & Price, W.L., “Security for Computer Networks”, 2nd Edition,
John Wiley & Sons, 1989.
[DEIT90] Deitel, H.M., “An Introduction to Operating Systems”, 2nd Edition, Addison-
Wesley, 1990.
[DELO93] Deloitte & Touche Management Consulting, “Information Protection and
Client-Server: New Approaches for New Environments.” 1993.
[DIXO96] Dixon, R., “Client/Server and Open Systems”, John Wiley & Sons, 1996.
[FRAN93] Francis, R., “The Search for Client/Server Security” Datamation v39, May
1993, pp 39-43.
[GOLL93] Gollman, D., Beth, T. & Damn, F. “Authentication services in distributed
systems”, Computers and Security, Vol 12, pp. 753-764.
[HART95] Hart, J.M. and Rosenberg, B., “Client/Server Computing for Technical
Professionals”, Addison-Wesley, 1995.
[HUGH95] Hughes, L.J., “Actually Useful Internet Security Techniques”, New Riders,
1995.
[ISO90] ISO/IEC 9594-8 “Information Technology -- Open Systems Interconnection --
The Directory -- Part 8: Authentication framework”, 1990.
[KANU94] Kanungo, S., “Identity authentication in heterogeneous computing
environments: A comparative study for an integrated framework”, Computers
and Security, Vol 13, pp. 231-253.
[KRUY91] Kruys J.P., “Progress in Secure Distributed Systems”, Computers and
Security, Vol 10, 1991, pp. 429-441.
[ORFA94] Orfali, R., Harkey, D & Edwards, J., “Essential Client/Server Survival
Guide”, John Wiley & Sons, 1994.
[PRES91] Press, J., “Secure Transfer of Identity and Privilege Attributes in an Open
Systems Environment”, Computers and Security, Vol 10, 1991, pp.117-127.
[REIT93] Reitenspiess, M., “Open Systems Security Standards”, Computers and
Security, Vol 12, 1993, pp.341-361.
[SINH92] Sinha, A., “Client-Server Computing”, Communications of the ACM, Vol 35,
No 7, 1992, p. 77-97.
[STRA93] Strauss, P., “LAN Boom paves the way for Client/Server”, Datamation, Nov
15, 1993, pp.40-48.
[SYMO94] Symonds, I.M., “Security in Distributed and Client/Server Systems -- A
Management View”, Computers & Security, Vol 13, 1994, p. 473-480.