- 1 - Distributed Security Framework Working Draft i i X/Open Snapshot (1993) (Draft November 23, 1993) X/Open Snapshot Distributed Security Framework Working Draft X/Open Company Ltd. O November 1993, X/Open Company Limited All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the copyright owners. X/Open Snapshot Distributed Security Framework Working Draft ISBN: X/Open Document Number: Published by X/Open Company Ltd., U.K. Any comments relating to the material contained in this document may be submitted to X/Open at: X/Open Company Limited Apex Plaza Forbury Road Reading Berkshire, RG1 1AX United Kingdom or by Electronic Mail to: XoSpecs@xopen.co.uk ii X/Open Snapshot (1993) (Draft November 23, 1993) Distributed Security Framework Working Draft iii ii X/Open Snapshot (1993) (Draft November 23, 1993) Contents Chapter 1 Introduction............................................................ 1 1.1 Distributed Security Framework - Snapshot............................ 1 1.1.1 Purpose and Scope................................................. 1 1.1.2 Approach and Structure............................................ 1 1.2 Distributed Security Framework - Guide............................... 4 1.2.1 Purpose and Scope................................................. 4 Chapter 2 Security Concepts....................................................... 7 2.1 Introduction......................................................... 7 2.2 Security Policy...................................................... 9 2.3 Security Authority................................................... 9 2.4 Security Domain...................................................... 10 2.5 Interactions and Inter-relationships Between Security Domains........ 12 Chapter 3 Threats................................................................. 15 3.1 Introduction......................................................... 15 3.2 Generic Threats...................................................... 15 3.2.1 Unauthorised Modification......................................... 16 3.2.2 Unauthorised Disclosure........................................... 16 3.2.3 Unauthorised Use of Resources..................................... 17 3.2.4 Denial of Service................................................. 17 3.2.5 Repudiation....................................................... 18 3.3 Vulnerabilities and Methods of Attack................................ 18 3.4 Unauthorised Modification............................................ 18 3.4.1 System Software and Hardware Modification......................... 19 3.4.2 Data Modification................................................. 20 3.4.3 Transmission...................................................... 20 3.4.4 Storage........................................................... 21 3.4.5 Processing........................................................ 21 3.4.6 Modification of System Data....................................... 22 3.5 Unauthorised Disclosure.............................................. 23 3.5.1 Transmission...................................................... 23 3.5.2 Storage........................................................... 23 3.5.3 Processing........................................................ 24 3.5.4 Indirect Disclosure Vulnerabilities and Attacks................... 24 3.6 Unauthorised Use of Resources........................................ 25 3.6.1 Discovery and Use of Authentication Credentials................... 25 3.6.2 Acquisition of Authorisations..................................... 26 3.7 Denial of Service.................................................... 26 3.8 Repudiation.......................................................... 27 3.9 Lack of Awareness and Utility........................................ 28 3.10 Assessment of Threats, Vulnerabilities and Risks..................... 29 Chapter 4 Countermeasures......................................................... 31 4.1 Introduction......................................................... 31 4.2 General Strategy..................................................... 31 Distributed Security Framework Working Draft iii Contents 4.3 Authentication....................................................... 32 4.4 Authorisation and Access Control..................................... 33 4.5 Accountability and Audit............................................. 37 4.6 Availability......................................................... 39 4.7 Administration and Management........................................ 39 4.8 Assurance............................................................ 40 Chapter 5 Security Architectures.................................................. 43 5.1 Introduction......................................................... 43 5.2 The Framework and System Security Architectures...................... 44 5.3 Distributed System Security Architectures - Concepts and Models...... 45 5.3.1 Basic Definitions and Concepts.................................... 45 5.3.2 Distributed System Frameworks and Architectures................... 45 5.3.3 Security Domains.................................................. 47 5.3.4 Trust............................................................. 50 5.4 Information System Services and Security............................. 52 5.4.1 Introduction...................................................... 52 5.4.2 Portability and Interoperability.................................. 53 5.4.3 Security Service Model............................................ 54 Chapter 6 Distributed Security Framework Baseline................................. 57 6.1 Introduction......................................................... 57 6.2 Types of System Security Architectures............................... 57 6.2.1 Standalone System................................................. 58 6.2.2 Interconnected Systems............................................ 58 6.2.3 Distributed Systems............................................... 59 6.3 Baseline Distributed System Security Requirements.................... 59 6.3.1 Authentication.................................................... 59 6.3.2 Authorisation and Access Control.................................. 60 6.3.3 Accountability and Audit.......................................... 61 6.3.4 Availability...................................................... 62 6.3.5 Administration.................................................... 62 6.4 Generic System Security Architecture................................. 62 6.4.1 Sponsor Services.................................................. 62 6.4.2 Authentication Services........................................... 63 6.4.3 User Authentication Services...................................... 64 6.4.4 Secure Association Services....................................... 65 6.4.5 Access Control Services........................................... 65 6.4.6 Audit and Accountability Services................................. 66 6.4.7 Repudiation Services.............................................. 67 6.4.8 Security Administration Services.................................. 67 6.5 Mapping of Security to Major Functional Areas........................ 68 6.5.1 General Approach ................................................. 68 6.5.2 General Functional Requirements................................... 69 6.5.3 Operating System Services......................................... 69 6.5.4 Communication Services............................................ 71 6.5.5 Distributed Processing Support Services........................... 72 6.5.6 HCI Services...................................................... 73 iv X/Open Snapshot (1993) (Draft November 23, 1993) Contents 6.5.7 Management Services............................................... 73 Chapter 7 Security Services....................................................... 75 7.1 Introduction......................................................... 75 7.2 Authentication....................................................... 75 7.2.1 Introduction...................................................... 75 7.2.2 Basic Service Model............................................... 76 7.2.3 Management Services............................................... 76 7.2.4 Operational Services.............................................. 78 7.2.5 Impact of Authentication Service on Primary Service APIs.......... 79 7.3 Access Control....................................................... 79 7.3.1 Introduction...................................................... 79 7.3.2 Basic Service Model............................................... 80 7.3.3 Management Services............................................... 84 7.3.4 Operational Services.............................................. 85 7.4 Impact of Access Control Services on Primary Service APIs............ 86 7.4.1 Access Control Enforcing API / Security Selecting Caller.......... 86 7.4.2 Access Control Non-Enforcing API / Access Control Enforcing Caller..87 7.5 Security Accounting and Audit Service................................ 87 7.5.1 Introduction...................................................... 87 7.5.2 Basic Service Model............................................... 88 7.5.3 Management Services............................................... 90 7.5.4 Impact of Audit Service on Primary Service APIs................... 91 7.6 Cryptographic Services............................................... 92 7.6.1 Introduction...................................................... 92 7.6.2 Basic Model....................................................... 92 7.6.3 Management Services............................................... 92 7.6.4 Operational Services.............................................. 94 7.6.5 Impact of Cryptographic Service on Primary Service APIs.......... 94 7.7 User Authentication.................................................. 95 7.7.1 Introduction...................................................... 95 7.7.2 Basic Service Model............................................... 95 7.7.3 Extended Service Model............................................ 96 7.7.4 Management Services............................................... 97 7.7.5 Operational Services.............................................. 97 7.8 Secure Association Service........................................... 98 7.8.1 Introduction...................................................... 98 7.8.2 Basic Service Model............................................... 99 7.8.3 Management Services............................................... 102 7.8.4 Operational Services.............................................. 103 7.8.5 Services Used Within An Association............................... 103 7.8.6 Impact of Secure Association Service on Primary Service APIs...... 104 Glossary................................................................ 107 Index................................................................... 123 List of Figures Distributed Security Framework Working Draft v Contents 2-1 The IT System as a Subdomain of the Enterprise Domain................ 8 2-2 Security Domains..................................................... 10 5-1 Security Domains in Distributed Systems.............................. 50 5-2 Security Service Model............................................... 54 5-3 Security Unaware Caller.............................................. 56 5-4 Security Aware Caller................................................ 56 6-1 Standalone System.................................................... 58 6-2 Interconnected Systems............................................... 58 6-3 Distributed Systems.................................................. 59 6-4 Generic Security Services............................................ 62 7-1 Basic Authentication Service Model................................... 76 7-2 Basic Access Control Service Model................................... 80 7-3 Access Control Enforcing API / Security Unaware Caller............... 86 7-4 Access Control Enforcing API / Security Selecting Caller............. 86 7-5 Access Control Non-Enforcing API / Access Control Enforcing Caller... 87 7-6 Basic Security Audit Service Model................................... 90 7-7 Security Audit Detecting API / Security Unaware Caller............... 92 7-8 Security Audit Detecting Caller...................................... 92 7-9 Cryptographic Mechanism Unware Caller................................ 94 7-10 Cryptographic Mechanism Aware Caller................................. 95 7-11 Basic User Authentication Service Model.............................. 95 7-12 Extended User Authentication Service Model........................... 96 7-13 C7F14 Layered Nature of Associations Between Security Domains........ 98 7-14 Basic Secure Association Service Model............................... 99 7-15 Security Enforcing API / Security Unaware Caller..................... 104 7-16 Security QOS Supporting API / Simple Security Selecting Caller....... 105 7-17 Figure Title......................................................... 105 7-18 Security Non-Enforcing API / Security Integrating Caller............. 106 7-19 Example Disposition of Security Services in Association Establishment.106 vi X/Open Snapshot (1993) (Draft November 23, 1993) Preface X/Open X/Open is an independent, worldwide, open systems organisation supported by most of the world's largest information systems suppliers, user organisations and software companies. Its mission is to bring to users greater value from computing, through the practical implementation of open systems. X/Open's strategy for achieving this goal is to combine existing and emerging standards into a comprehensive, integrated, high-value and usable system environment, called the Common Applications Environment (CAE). This environment covers the standards, above the hardware level, that are needed to support open systems. It provides for portability and interoperability of applications, and allows users to move between systems with a minimum of retraining. The components of the Common Applications Environment are defined in X/Open CAE Specifications. These contain, among other things, an evolving portfolio of practical application programming interfaces (APIs), which significantly enhance portability of application programs at the source code level, and definitions of, and references to, protocols and protocol profiles, which significantly enhance the interoperability of applications. The X/Open CAE Specifications are supported by an extensive set of conformance tests and a distinct X/Open trade mark - the XPG brand - that is licensed by X/Open and may be carried only on products that comply with the X/Open CAE Specifications. The XPG brand, when associated with a vendor's product, communicates clearly and unambiguously to a procurer that the software bearing the brand correctly implements the corresponding X/Open CAE Specifications. Users specifying XPG conformance in their procurements are therefore certain that the branded products they buy conform to the CAE Specifications. X/Open is primarily concerned with the selection and adoption of standards. The policy is to use formal approved de jure standards, where they exist, and to adopt widely supported de facto standards in other cases. Where formal standards do not exist, it is X/Open policy to work closely with standards development organisations to assist in the creation of formal standards covering the needed functions, and to make its own work freely available to such organisations. Additionally, X/Open has a commitment Distributed Security Framework Working Draft vii Preface to align its definitions with formal approved standards. X/Open Specifications There are two types of X/Open specification: o CAE Specifications CAE (Common Applications Environment) Specifications are the long-life specifications that form the basis for conformant and branded X/Open systems. They are intended to be used widely within the industry for product development and procurement purposes. Developers who base their products on a current CAE Specification can be sure that either the current specification or an upwards-compatible version of it will be referenced by a future XPG brand (if not referenced already), and that a variety of compatible, XPG-branded systems capable of hosting their products will be available, either immediately or in the near future. CAE Specifications are not published to coincide with the launch of a particular XPG brand, but are published as soon as they are developed. By providing access to its specifications in this way, X/Open makes it possible for products that conform to the CAE (and hence are eligible for a future XPG brand) to be developed as soon as practicable, enhancing the value of the XPG brand as a procurement aid to users. o Preliminary Specifications These are specifications, usually addressing an emerging area of technology, and consequently not yet supported by a base of conformant product implementations, that are released in a controlled manner for the purpose of validation through practical implementation or prototyping. A Preliminary Specification is not a ``draft'' specification. Indeed, it is as stable as X/Open can make it, and on publication has gone through the same rigorous X/Open development and review procedures as a CAE Specification. Preliminary Specifications are analogous with the ``trial-use'' standards issued by formal standards organisations, and product development teams are intended to develop products on the basis of them. However, because of the nature of the technology that a Preliminary Specification is addressing, it is untried viii X/Open Snapshot (1993) (Draft November 23, 1993) Preface in practice and may therefore change before being published as a CAE Specification. In such a case the CAE Specification will be made as upwards-compatible as possible with the corresponding Preliminary Specification, but complete upwards-compatibility in all cases is not guaranteed. In addition, X/Open periodically publishes: o Snapshots Snapshots are ``draft'' documents, which provide a mechanism for X/Open to disseminate information on its current direction and thinking to an interested audience, in advance of formal publication, with a view to soliciting feedback and comment. A Snapshot represents the interim results of an X/Open technical activity. Although at the time of publication X/Open intends to progress the activity towards publication of an X/Open Preliminary or CAE Specification, X/Open is a consensus organisation, and makes no commitment regarding publication. Similarly, a Snapshot does not represent any commitment by any X/Open member to make any specific products available. X/Open Guides X/Open Guides provide information that X/Open believes is useful in the evaluation, procurement, development or management of open systems, particularly those that are X/Open-compliant. X/Open Guides are not normative, and should not be referenced for purposes of specifying or claiming X/Open- conformance. This Document This document is a Snapshot (see above). It captures and presents part of the ongoing work of the X/Open Security Working Group on the Distributed Security Framework (XDSF). It is the first stage of a longer term programme to produce an X/Open Distributed Security Framework - Guide. This document is structured as follows: o Chapter 1 is an introduction. Distributed Security Framework Working Draft ix Preface o Chapter 2 introduces the top level information system security concepts, terms and models that are used within the framework. o Chapter 3 describes security threats, vulnerabilities and methods of attack. o Chapter 4 provides a general introduction to the range of measures used to counter security threats. o Chapter 5 describes the concept of security architectures and the characteristics of the interfaces to security services. o Chapter 6 identifies a set of generic security services designed to meet the requirements of security within information systems. o Chapter 7 provides more detailed descriptions of generic security services. There is a glossary at the end. Intended Audience The target audience for the XDSF Snapshot is principally the specifiers of X/Open interfaces. Typographical Conventions The following typographical conventions are used throughout this document: o Italic strings are used for emphasis or to identify the first instance of a word requiring definition. o Notations in square brackets, for example [ISO 10181- 2], indicate reference to other publications. Where the contents of such publications are directly quoted, the quoted text is contained within double quotation marks (" ... "). x X/Open Snapshot (1993) (Draft November 23, 1993) Trademarks UNIXO is a registered trade mark licensed exclusively by X/Open Company Ltd. X/OpenTM and the ``X'' device are trade marks of X/Open Company Ltd. Distributed Security Framework Working Draft xi Referenced Documents The following standards are referenced in this specification: Note: To be completed. The following X/Open documents are referenced in this specification: Note: To be completed. xii X/Open Snapshot (1993) (Draft November 23, 1993)