OpenVMS Security Update 1M01

Transcription

1 OpenVMS Update M0 Helmut Ammer TCSC München Agenda Ratings ITSEC E C & E B update on V6. TCSEC C Ramp -> > Common Criteria COE DII Current Projects: Enterprise Features & Projects History Per- Profiles External Authentication Authenticated COM + Infrastructure (V7.-) Future Projects Kerberos for VMS Ratings Testing Procedures Current Ratings Status TCSEC ITSEC Common Criteria New Ratings DII COE OpenVMS Testing Independent of a rating, the OpenVMS security testing procedure is as follows All new functionality/changes is documented Each one is reviewed for impact to the security model Tests are created to assure security relevant changes behave as documented Each release must successfully complete the Test Suite before it is released. OpenVMS TCSEC Ratings C for OpenVMS VAX and Alpha V6. B for SEVMS VAX and Alpha V6. ITSEC Rating ITSEC Ratings in progress ITSEC E/F-B SEVMS (with B claims) ITSEC E/F-C VMS Targets: Alpha & VAX OpenVMS V6.-H & YK Patch Kit SEVMS V6.-H & YK Patch Kit 5 6

2 OpenVMS Future Ratings TCSEC/RAMP - Going Away OpenVMS 7. C RAMP Status Independent rd party evaluations CLEF (Commercially Licensed Evaluation Facility) Common Criteria Profiles C? Industry Specific? 7 What is DII COE? The Defense Information Infrastructure Common Operating Environment (DII COE) provides a foundation for building open systems. It is a "plug and play" open architecture designed around a client/server model. 8 DII COE..0 compliant OpenVMS Office Admin Track Communications Management J System Administration Standard (Back Office) API s Multimedia Standard (System Level) API s Execution Communication Administration Kernel components Workflow Data Geographic Exchange Information J J Messaging OpenVMS Operating System & Alpha HW Network Alert Data Access 9 COE Application Level s of Compliance 8 - Total COE compliance application does not need to know about Platform/OS at all. - 50/50 split. COE compliance but Application needs some system calls. (e.g. Cluster awareness) - Application makes no calls to COE Modules in O/S but can successfully run in COE O/S environment 0 - Application breaks when running in COE compliant O/S environment 0 MUPs OpenVMS Alpha V7. DEC-AXPVMS AXPVMS-VMS7_SYS-V000-.PCSI DEC-AXPVMS AXPVMS-VMS7_SYS-V000-.PCSI OpenVMS Alpha MUP ALPSMUP0_070 (Versionen V6., V6. & V7.0) OpenVMS VAX MUP VAXSMUP0 (All Versions prior to V6.) OpenVMS V7. & V7..- Projects Per-thread security V7..- Authenticated COM Future Projects LDAP Client investigation Cluster Wide Intrusion Detection (A/V) Kerberos V5 GSSAPI (Generic API) $ Login CDSA (Common Data Architecture) IR IPSEC support

3 Model before V7. Per- Profile Model Profile Execution Generic Profile (ARB,PCB,JIB etc.) The current model forces user threads to manage the security To really work the security must be switched by the scheduler A single fails with multiple threads actively using it Profile Profile Execution Profile Profile New model solves pre-emption problem as the scheduler switches the security on a context switch. Now the operating system takes care of the switching of handles when scheduling. Per- : Compatibility PCB/ARB/JIB/PHD maintained while process has a single user-mode persona System services now persona aware SDA understands persona structures Backward Compatibility New Generic Profile (ARB,PCB,JIB etc.) Profile in OpenVMS V7.- Authenticated COM Provide necessary NT security infrastructure (kernel objects, interfaces, and protocols) to support strategic technologies OpenVMS V7..- support for: Secure DCOM, RPC using NTLM-authentication (Authenticated RPC), select Win security APIs OpenVMS Alpha only! 6 NT Infrastructure View DCOM Win APIs Reserved interfaces in 7. Win Low-Level $PERSONA System SYS$ACM System Service _SERVER VMS UAF NT SSPI/NTLM System [Cluster IPC to multiple servers] PWRK$LMSRV AdvancedServer RPC SAM Future Projects LDAP V Client (Investigation Complete) Requirement: Kerberos Authentication Cluster Wide Intrusion Detection Kerberos V5 Client and KDC GSSAPI V CDSA (Common Data Architecture) IPSEC Support 7 8

4 TM Cluster Wide Intrusion Detection Intrusion detection and breakin evasion is not applied cluster-wide. Intrusion detection and breakin evasion data are volatile. CWID Requirements: Intrusion and breakin events will be visible across the cluster (both VAX and Alpha) Events from all nodes in the cluster will contribute to the detection and evasion mechanisms Events must persist across system reboots Only backwards-compatible compatible changes will be made to the SYS$INTRUSION interfaces 9 Kerberos VMS implementation Initially a separate installable kit featuring Support available back to V7. (VAX & ALPHA) GSSAPI V GUI & DCL interface KDC & Client Ready for Field Test in CY000 For more information on Kerberos see mit.edu/kerberos/www/ 0 LOGINOUT SYS$ACM Common User Authentication Interface OpenVMS Common User Authentication and Credential Management Model Authentication and Credential Management (ACM) Authority OpenVMS ACM Extension NT ACM Extension SYSUAF.DAT Native Authentication Agent External Authentication Agent PATHWORKS Login SYS$ACM published Additional Loginout image How to write an guide. Testing and Field Test exposure. Server X Server Y. The ability to have alternate external agents supported by the OpenVMS Common User Authentication Model will be in a future release. Kerberos ACM Extension X.509 Public- Key ACM Extension LAN The CDSA Solution Common Data Architecture (CDSA) CDSA defines a four-layer architecture Applications for cross-platform, high-level security services CSSM defines a common API & SPI for security services and integrity base Service Providers implement selectable security services Layered CSSM API Common Service Provider Interfaces Service Modules CDSA Framework Common Service Provider Modules CSP SPI Cryptographic Service Provider Integrity Smartcard TP Module TPI Trust Policy Applications in C and C++ CSSM API CL Module CLI Certificate Remote CAs Contexts DL Module DLI Data Storage Data store EM-API Elective Module Mgr EMI New Category of Service

5 CDSA User Benefits CDSA Forges a New US Export Model Users get consistently interoperable and usable security applications for heterogeneous environments Cross-platform and multi-system Reduced cost and reduced risk when deploying security solutions Replaceable components available from multiple providers Apps Framework CSSM is called Crypto-with with-a a hole Vendors must obtain a CJ General License Based on integrity services and other framework properties Applications and Non-crypto One time review, then decontrolled Based on all crypto services via CSSM Does not export a cryptographic API Cryptographic Service Provider Requires a CJ general license or ITAR license, depending on strength of cryptographic services App App CSSM CSP App 5 6 CDSA Adopters IPSEC support IPSEC as part of IPV6 Tru6 UNIX - SSH Contract for IPSEC provider VMS to Follow same model CDSA for Cryptography 7 8 SSPI NTLM Future OpenVMS /Cryptography Map Client/Server Applications COM, Browsers RPC SSL/TLS SSP GSSAPI V SNEGO SSL/TLS Run Time Kerb5 SSP Host/Interactive Authentication Logon, FTP, Rlogin Kerb Kerb5 Run Time $ACM NT VMS Cryptography Consumers PKI, IPSEC GSSAPI LDAP SASL other? KEY = Public = Internal = Example Kerberos for OpenVMS Cryptographic Provider RSA BSAFE Common Data Architecture API CSSM Trust Policy ENTRUST VERISIGN Certificate RSA BCERT ENTRUST Data Storage LDAP 0 5

6 Keberos Agenda What is it? A Cryptographic Authentication protocol History Benefit How it works OpenVMS Specific details Kerberos Authentication What s in a name? Kerberos is from Greek Mythology and is the three headed guard dog to Hades Cerberus is the Roman spelling. Kerberos project History Developed in 98 at M.I.T. in Project Athena Versions - M.I.T. Internal Athena use only Version (Available to the public) ~988 Version 5 (Commercial ready) ~997 Authorization vs. Authentication So what s the problem? A system administrator Authorizes someone to use a computer by creating them an account. Example: UAF> CREATE ASTRO The person proves that they are the authorized user of the account by Authenticating themselves typically with a password. Example: Username: ASTRO PASSWORD: itsadogeatdogworld Distributed computing forces the user to authenticate themselves to remote machines by having their passwords travel over the network. A simple packet sniffing tool on a PC could read the password on it s way to the destination system So how can you solve the Remote Authentication problem? How does Kerberos work? Solutions: Standards: IPSEC (Part of the IPV6 protocol) SSH Secure Shell SSH server for VMS eng.ohio-state. state.edu/~jonesd/ /~JONESD/ssh/DOC/ SSH client for VMS lp.se/fish/ Info on SSLEay lp.se/.se/openssl/ Kerberos for OpenVMS 5 Authentication using cryptographic tickets. Client KDC Key Distribution Center TGS Ticket Granting Service Remote Host 6 6

7 Kerberos Components Key Components: KDC (Key Distribution Center) Grant Principle Account & Service Account Administration of the Kerberos Users Keytab files (Securely distributed to every node) TGT (Ticket Granting Ticket) TGS (Ticket Granting Service) Valid account on the Remote Host 7 A sample Kerberos Authentication Walkthrough Client (HOST) Login:ODIE Password: $ KINIT Password: decrypted encrypt $ SET HOST /RLOGIN /AUTHENTICATE HOST encrypt encrypt SID PWD time RLOGIN SID SID PWD PWD PWD TGT Request Encrypted TGT TGS Request Encrypted SRT [SID] Created KDC (HOST) encrypt KDB ODIE: Password TGS: Password host: Password PWD PWD SID time RLOGIN [SID] Created time RLOGIN TGS encrypt PWD PASSWORD [SID] Remote Server (Host) HOST> communications Authenticated! VMS GUI User Features 0 VMS GUI KDC 7