Beruflich Dokumente
Kultur Dokumente
Work Completed
First prototype: Enterprise Networks
Environment: enterprise LAN, single administrative control, common knowledge of identities and keys Completed July 1998
Security Architecture
First version completed June 1998
Prototype Features
Source authentication and integrity protection Hop-by-hop authentication and integrity protection Authorization of access to Node services based on source
Prototype Components
Extension of ANTS, MITs Active Network environment Ported to JDK 1.2 beta3/beta4 (from JDK 1.0.2) Used JDK 1.2 cryptographic interface
DSA only authentication algorithms available
Prototype Design
Source signature over unvarying packet contents Variant packet contents
initial value included in packet used in signature and verification
Prototype Design
Node policy relates permissions to key id in packet Incoming active applications are given reference to wrapper object instead of reference to Node API Wrapper object intercepts calls to Node services and checks policy Source of request is checked as well as parameters of the service
Redesign of class hierarchy of ANTS for extensibility (e.g., signatures) and provision for shareable resources
Work To Come
Extension of protection to active code services and resources
adopt same wrapper paradigm, if possible to create code on the fly
Active code can change EE state (and therefore Node state), including leaving itself behind for other active code to use Packet can be modified by Node, EE or Active Code
Security Enforcement
EE can create a separate subflow for active code EE relates a principal with subflow EE informs NodeOS of principal behind each NodeOS API call
otherwise, call is mediated and charged to EE principal
Policies
Node, EE, and Active Code and Packet Source all have policies governing their use:
Node: e.g., packets from the following source may use no more than K units of bandwidth EE: code from the following author can install itself here Active Code: active code from the following source may use my data Packet Source: payload confidentiality must be protected
Policies
Existing policies are safety properties Liveness properties not possible to ensure
rely on fairness assumptions rely on design
Ergo, cannot ensure that requested service will be supplied Termination turned into safety property
Network Operation
Packet arrives and is assigned to channel Active Code is executed in the channel Channel may transmit one or several subsequent packets Output packets have no necessary relationship to incoming packets Active Code, EE or Node may determine route of outgoing packets