 |
 |
 |
 |
| |
|||||
|
|
 |
The multiplicity and unpredictability of today’s missions require the U.S. armed forces to be increasingly mobile and adaptable, while leveraging resources effectively across wide geographical and organizational spaces. This has led to an increased reliance on distributed computing systems. However, setting up and maintaining distributed systems under the strain of battlefield conditions and with limited manpower presents serious administrative challenges. Emerging approaches in distributed computing address many of these challenges by allowing software services to form dynamic groups in which they can discover each other’s services, agree on communication protocols, and interact with each other without requiring prior manual configuration. However, these new approaches also give rise to a number of security concerns. For example, how does one verify the authenticity of the services that form such self-configuring groups? Distributed computing systems need to address these concerns to protect the integrity, confidentiality, and availability of data and resources on the network. MITRE and the National Security Agency are currently researching and developing solutions to address these security concerns.
One of the most critical security services is authentication, because it constitutes the cornerstone for additional security mechanisms such as authorization and auditing. Participants in a distributed system must be able to satisfy each other about their respective claims of identity. We therefore selected authentication as the first security service to implement in our prototype-a service greatly complicated by the distributed nature of the system. We have developed a software prototype that uses X.509 digital certificates to authenticate the hardware and software services in Jini. The prototype allows Jini services and clients to authenticate each other and establish encrypted Secure Socket Layer or Transaction Layer Security connections for use in secure communications. It also enables the client to authenticate the mobile code based on a digital signature before the code is executed. Having a trusted agency digitally sign the mobile code allows us to provide assurances that the mobile code comes from a trusted source and has not been altered or corrupted since it was signed. One of the key tasks in designing distributed systems is to ensure the system is sufficiently flexible and extendable to adapt to diverse and evolving requirements. To address this challenge, our prototype leverages the Java Authentication and Authorization Service package, a Java version of the standard Pluggable Authentication Module (PAM) framework. The PAM framework allows applications to remain independent of authentication schemes, because it can integrate multiple authentication mechanisms by plugging them into an application at runtime. Application developers who use the PAM interface with a single high-level application programming interface are decoupled from changes in security policies and authentication mechanisms. System administrators have the flexibility of selecting one or more authentication technologies on the basis of their local security policy and are not required to modify each application. We are investigating possible incorporation of authentication technologies in addition to X.509 digital certificates, such as Kerberos and smartcards, via the PAM framework. Although this prototype offers a flexible authentication scheme, it requires that each client or application manage and configure its own individual security mechanisms. This leads to increased system complexity. As a result, issues as basic as ensuring that all clients have the same security policy can become serious administrative burdens. MITRE has created a second prototype that reduces the complexity inherent in such approaches by moving the bulk of the authentication processing to a centralized service. This allows users and applications to authenticate to a known and trusted entity. It also reduces the management complexity for system administrators, who would have only one service to maintain and monitor. In addition, the second prototype has added support for authorization, a security service closely tied to authentication. When an entity successfully authenticates to our prototype, the service compares its identity to an authorization policy to determine the entity’s privileges and then issues an authorization token to the authenticated entity. This token is a digitally signed statement that contains information about the entity’s name, privileges, and any constraints on the token. The token can then be presented to a Jini service, which can use the token to determine what access privileges should be given to the owner. These prototypes provide a powerful framework that can be extended to include other authentication and authorization technologies beyond those we have built and to support additional security services. And we see room for further improvement. When security services are centralized, they can be leveraged to many diverse applications and reduce administrative complexity, but they can also become desirable targets and a single point of failure. On the other hand, moving toward a fully distributed approach carries with it the additional risks and complexities associated with maintaining coordination, management, confidentially, and integrity among multiple security services. Therefore, our goals for this year’s research strike a balance between these two approaches. Our primary emphasis will be on ensuring the fault tolerance of decentralized security services by distributing the services among a set of servers and using replication algorithms to mask faulty servers. A primary question for the next prototype is how a group of distributed processes can agree on the authenticity of a user when a malicious adversary may corrupt some of the processes and disrupt the network. We believe that we can improve the system’s overall integrity by not completely trusting any single process, deriving results from the majority of correct processes, and increasing the quantity and diversity of authentication services that work in collaboration, and in this way decrease the risk of system-wide failure. We are currently researching ways in which a group of distributed and diverse authentication processes can reliably reach agreement on the authenticity of a principal through such techniques as distributed consensus algorithms and threshold cryptography. The importance and complexity of distributed computing systems continues to increase, leading to greater strains, being placed on system developers and administrators. To help relieve these strains, distributed systems are becoming more automated and dynamic. It is essential that we have security solutions that can rapidly adapt to these environments, are easy to maintain, and are robust. Our first prototype allows extensive customization right down to each individual client and application. Our second prototype still allows for rapid and extensive customization but moves the security services to a centralized location for easier management. This year we are developing a next-generation prototype that can take centralized components, such as our authentication service, distribute them among a set of servers, and tie them together to form highly robust and resilient services. For more information, please contact David Slattery using the employee directory. |
Solutions That Make a Difference.® |
|
|
Our
goals are to develop security solutions for distributed systems that
can be readily tailored to meet the security requirements of individual
environments, are easy to maintain, and are robust. We are currently
prototyping these solutions with Sun Microsystems’ Jini Network
Technology. Jini provides a distributed computing infrastructure that
supports dynamic interaction between users and services, and a programming
model for the construction of reliable services. Users and services
use this programming model and infrastructure to call each other, discover
each other, and announce their presence to other services and users.