[OTDev] A&A: precautions against pre-registering resources
Luchesar V. ILIEV luchesar.iliev at gmail.comTue Jun 29 14:21:09 CEST 2010
- Previous message: [OTDev] A&A: precautions against pre-registering resources
- Next message: [OTDev] A&A: precautions against pre-registering resources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Andreas, All, To be honest, the idea came just yesterday to me. That's why I haven't given it that much thought myself, so it's not necessarily a good (or even appropriate) solution. I'm still thinking if it wouldn't break something important... If I understand you correctly about the IP addresses, this would be such a prevention against breaking. So, if we have a request coming from server-1.opentox.net which requests a policy to be created for http://service-A.opentox.org/resource-B based on comparing the DNS names only, we would refuse it. However, if we check the IP addresses "behind" "server-1.opentox.net" and "service-A.opentox.org" and if they match, we would actually accept the policy. That's a very good point. Still, I'd suggest we bypass the DNS -- probably I shouldn't have even proposed this at all, but I had already written part of the mail when I realized that the SSL certificates could do the same -- and much better -- job. Not only they are inherently secure, but they also easily solve the problem with different DNS names on one machine -- even if there are multiple addresses behind each, actually, which is also possible. In the above example, when we get the request from server-1.opentox.net (which resolves to, say, 123.4.5.6) which requests a policy to be created for http://service-A.opentox.org/resource-B (where the domain name part resolves to, say, 12.3.4.56) we would reject the request based on both DNS and IP verification. However, if the requester has been issued a certificate for the following domains server-1.opentox.net server-2.opentox.net server-3.opentox.net service-A.opentox.org service-B.opentox.org service-C.opentox.org and has authenticated itself with this as a client certificate during the SSL handshake, we would have all the good reasons to accept the request (because one of the domain names in the certificate matches the URL in the policy: service-A.opentox.org; where exactly the request came from is irrelevant in this case -- it could have been even gates.microsoft.com). Technically, the said certificate would look something like this: Certificate: Data: Version: 3 (0x2) Serial Number: 371 (0x173) Signature Algorithm: sha1WithRSAEncryption Issuer: DC=org, DC=opentox, CN=OpenTox CA Validity Not Before: Jun 28 12:50:26 2010 GMT Not After : Jul 28 12:50:26 2011 GMT Subject: DC=org, DC=opentox, O=services, O=OpenTox, OU=IDEA, CN=service-A.opentox.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:d9:f1:a0:e2:8a:56:ba:64:72:72:3c:73:91:a6: 62:ed:7a:00:c7:7d:3e:6b:c5:3c:9a:52:2d:75:f5: 2b:fc:c7:d8:03:23:7a:c6:5f:f8:2b:4d:1e:29:df: 55:0f:85:43:48:aa:f4:ca:a9:42:2f:f2:77:74:dc: 98:c5:49:35:50:3e:fa:b1:a9:72:9b:8f:8a:ff:d5: ba:cf:20:db:35:2a:48:f1:e3:ba:1a:51:2f:df:ea: fc:86:0f:78:78:5c:86:f6:dc:25:53:3c:ae:08:68: 46:5a:05:e2:9e:b9:43:f6:4c:ed:04:ee:23:53:05: 98:5f:22:5b:6b:35:ac:39:92:60:3b:63:65:b0:a4: 1b:a4:f5:df:9a:8d:bf:8f:56:2a:4b:9a:11:ae:38: b3:b3:9e:65:85:fa:f7:55:50:27:c1:2f:d8:d2:30: 8b:fd:54:93:59:45:2d:11:0b:a0:0a:95:32:a9:1e: 19:6c:e7:40:71:6a:d2:51:bd:c7:fe:10:77:6b:c0: 13:69:9c:9e:d5:31:19:00:22:3c:e2:3b:53:ef:45: a8:53:d1:d8:5d:1f:00:95:a4:59:df:08:b8:76:c9: 19:d5:c7:c9:25:28:29:dc:8c:32:63:aa:37:8e:f7: 1e:34:39:1d:94:b2:d0:9d:83:9f:fd:10:c0:51:81: 5b:1f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 CRL Distribution Points: URI:http://ca.opentox.org/crl/opentox_ca-crl.der X509v3 Authority Key Identifier: keyid:D1:7D:63:38:C7:69:EC:56:2C:CE:EE:D5:6D:4E:77:C7:A3:FD:34:6C X509v3 Subject Key Identifier: 40:DE:5A:69:25:62:0B:10:22:DC:5B:56:09:F0:12:96:83:1D:63:24 X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.26646.1.3.1.1.0 X509v3 Subject Alternative Name: DNS:server-1.opentox.net, DNS:server-2.opentox.net, DNS:server-3.opentox.net, DNS:service-A.opentox.org, DNS:service-B.opentox.org, DNS:service-C.opentox.org Signature Algorithm: sha1WithRSAEncryption 80:6b:5a:c7:51:3a:f4:27:2a:17:2a:fc:82:99:48:3e:f8:ef: 0d:80:99:02:9b:62:24:7b:93:47:ad:68:9b:3f:3a:af:24:1c: bc:11:16:1e:36:31:11:69:09:b2:02:82:ac:79:a4:c2:25:96: 3d:64:77:02:1f:5c:1b:5f:21:ee:d5:88:7b:08:f7:6a:be:7e: ba:1c:e2:a3:01:7f:09:2d:34:6e:b1:39:cc:2b:21:8f:0f:53: af:54:44:cd:68:57:24:4b:21:da:95:e9:dc:47:90:2a:1b:f5: 6c:5f:84:e4:e8:05:8e:01:46:88:c9:4a:b0:4e:b9:29:23:67: 3e:af:b7:22:40:88:6a:d1:9b:47:40:ff:d4:2c:5c:c7:61:d7: 5d:ef:db:90:f5:c3:33:16:be:a0:1b:8a:3f:42:df:6e:ae:49: 31:71:16:1c:2a:93:62:64:7c:15:37:ff:37:3f:d5:53:17:26: 01:d7:eb:70:3d:f0:0d:f2:86:82:1f:48:89:50:84:90:99:7f: 89:08:89:e2:f4:8c:e1:f8:fd:a7:59:2d:80:59:64:1b:08:2a: 0a:dd:ef:77:3b:c8:d3:e7:0d:c7:a6:0d:bd:5c:f4:1a:05:8f: dc:f5:1d:e5:49:b7:6c:a0:de:f5:ab:59:4b:87:dc:31:98:f8: The certificate signature would be checked already at handshake time, so all that is necessary, is to compare the DNS name of the URL in the requested policy to the list of Subject Alternative Names -- and if one of the entries matches, the request is accepted. Actually, wildcards in domain names are also accepted, so that entry could have been even simpler: X509v3 Subject Alternative Name: DNS:*.opentox.net, DNS:*.opentox.org Mind you, when a Subject Alternative Name (SAN) is present in the certificate, the CN field in the DN is not checked at all -- so, really all checks should be against the SAN list. So, to summarize, the question is: how easy for the policy service would it be to check the SAN entries in the client certificate used in the SSL/TLS connection against the URL for which a policy is submitted through that secure channel? If that works, then probably we could set up a temporary certification authority for testing (I could do that) and see how it really works in practice. Cheers, Luchesar On Tue, Jun 29, 2010 at 11:02, Andreas Maunz <andreas at maunz.de> wrote: > Ok, we can restrict creation to policies relevant to the current machine > only. In that case: > - we have policy creation only by services or users logged in to the current > machine. > - no other machine can create a policy relevant for the current machine > The two points impair flexibility a lot, thus I did not think this far. Of > course, Nina is right with the efficiency argument. I had in mind the > situation where public access was prohibited prior to policy creation, thus > no data would be transported. But I recognize this was short-sighted, and > overall, I agree with your proposal to use DNS-verification. > > One more (less important) question: We could also only forward DNS > resolution, couldn't we? Are host names not available with the request? If > yes, we could resolve both host names of requesting webservice and target > webservice and check whether the two IP addresses match. > > Greetings > Andreas > > > Luchesar V. ILIEV wrote on 06/28/2010 09:54 PM: >> >> On Mon, Jun 28, 2010 at 22:27, Luchesar V. ILIEV >> <luchesar.iliev at gmail.com> wrote: >>> >>> [...snip...] >>> >>> In other words, if the service gets a request for the resource above >>> from an address, which reverse-resolves to, say, badguy.aol.com, then >>> the policy service will reject the request straight away. >> >> That was ambiguous, sorry. Should have read instead: >> >> In other words, if the _policy_ service gets a _policy_creation_ >> request for the resource above from an address that reverse-resolves >> to, say, badguy.aol.com, then the policy service will reject the >> request straight away (because badguy.aol.com != >> serviceA.opentox.org). >> >> L. >> >> P.S. And, in the case of SSL/TLS, it would read: >> >> In other words, if the _policy_ service gets a _policy_creation_ >> request for the resource above via a secure connection where the >> client certificate has been issued to badguy.aol.com, then the policy >> service will reject the request straight away (because badguy.aol.com >> != serviceA.opentox.org). >> >> Of course, if the bad guy doesn't present valid certificate in the >> first place (that is, issued by a trusted certification authority), >> then no connection would happen at all. >> _______________________________________________ >> Development mailing list >> Development at opentox.org >> http://www.opentox.org/mailman/listinfo/development >> > _______________________________________________ > Development mailing list > Development at opentox.org > http://www.opentox.org/mailman/listinfo/development >
- Previous message: [OTDev] A&A: precautions against pre-registering resources
- Next message: [OTDev] A&A: precautions against pre-registering resources
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Development mailing list