Interesting People mailing list archives
IP: ANOTHER ROLE FOR GUIDs, WAS: SNIFFING OUT MS SECURITY GLITCH
From: Dave Farber <farber () cis upenn edu>
Date: Mon, 22 Mar 1999 18:42:26 -0500
Date: Mon, 22 Mar 99 15:20:39 PST From: "Willis H. Ware" <willis () rand org> Dave: Apropos of your recent submissions on GUIDs.... let me sow some seeds and see if I can attract the interests of the research community and perhaps your graduate students. One of the info-security issues that I plug from time to time [*] concerns the situation in which two (or more) computer systems, previously unknown to one another, connect for a legitimate purpose and must decide before opening the connection what each is allowed to access and/or interchange with the other, and/or what processes may be requested to run on the other. Good security demands that two systems wishing to connect must initially consider the other as untrusted. So to speak, the bona fides must be mutually established before things flow between them. One way would be a standard "exchange protocol" in the spirit of handshaking in cryptographic procedures, but more elaborate as circumstance might require. Decisions about specific objects (e.g., data) might be made at the beginning for the duration of the interaction, or they might be made dynamically as the interaction progresses. That's an attribute of the future that has been little addressed in infosec R&D; it can be thought of as a super-elaboration of the access-control problem as we have always thought about it. In part, such an issue will be driven by databases which contain everything-but-everything in the record -- so-to-speak, dossier-level databases. When queried, only that part of the record pertinent to the query should be released. Hence, the issue has a relationship to privacy as commonly characterized in the Fair Code of Information Practices. It is a potential privacy infraction to dump an entire record in response to any query that happens along. When this situation arises in the national security world, it has been accommodated on the basis of the categorization of information inherent in that world; e.g., system-A is authorized to exchange with any other system (say) SECRET information, types 1, 2, and 3; or A and B can exchange any encrypted material for which they have a common cryptographic key. Such a solution of course is static and in effect, a procedural one. There is of course the side issue of "how does the other system know that A is telling the truth", but this is a collateral concern that enlarges the discussion beyond where I want to go for the moment; mutual authentication at many levels of the software architecture, especially in the context of network connectivity, is another topic. When the situation arises in the corporate world, it can often be handled with pre-arrangements; e.g., system-A is entitled to receive (i.e., access) anything categorized by some prescribed label, (say) "accounting data". In any given case, we can conjure up a solution; but a general solution is needed to handle the fully networked future that everybody is busily projecting and building. In it, connectivity among computer systems will be ad hoc, in the same sense that telephony connections are; e.g., any system can, in principle, connect to any other system and wish to have an electronic conversation with it. "Electronic conversation" can mean requesting a file, requesting an answer to a query, asking for some process to be run (on the distant machine), interactively relate to the other machine, etc. All of those things are going on today in Web interactions which however are generally conducted on the basis of wide-open access for the purposes of reading electronic materials, AND on the basis that any process requested (e.g., a search) has a priori been authorized as appropriate to run any time requested AND on the basis that everything is of uniform sensitivity. I suggest that the future is likely to be different as things of different sensitivity are offered to a network for remote access, as distributed computing becomes more commonplace in enterprise environments, as arbitrary "dial-up" among systems takes place on the basis of needs as they arise. Today the operational solutions generally are static arrangements for interconnectivity; e.g., a super-market cash register has a standing connection to a check-verification service. But in a coming future, for example, on each occasion of use, a process in system-A will be "told" in which other systems the data for the moment resides. In principle the data sources could be systems to which system-A had never before connected and they need not be in the same political jurisdiction. Moreover, the locations of the data might emerge dynamically as the process operates. It occurs to me that GUIDs or some variation on the construct could support the inter-netted future security issue of "what am I allowed to tell you" and/or "what am I allowed to do for you." To be sure, one has to be concerned that different systems could easily generate the same string sequence for a GUID and therefore, make confusion possible; but that can be accommodated. For example, the world knows how to handle ISBNs without duplicating them from book to book, the electronic world is quite adept at handling IP-addresses by juxtaposing strings of digits (or characters) with separator symbols into an overall address (known as the Dewey Decimal System in a library incarnation), web sites are adept at managing the pointers that allow one to navigate around their data structures. It is clear, I submit, that the "mutually allowed interchange" problem will not be solved in isolation. It will almost certainly be combined with digital signatures, various authentication procedures, et al. In fact, such global IDs might well be combined with the "digital notary public" and/or the "digital time stamp" functionality. Thus, I would conjecture that GUIDs -- not the ones that are generated by commercial software of today but some variant of them functioning in a co-ordinated environment -- are going to become markedly more common in the future not only for documents, but for software, for entire software processes, for data structures and for combinations of all of these. [*] SEE, for instance my document "Cyberposture of the National Information Infrastructure" at: www.rand.org/publications/MR/MR976/mr976.html Willis H. Ware RAND Santa Monica, CA
Current thread:
- IP: ANOTHER ROLE FOR GUIDs, WAS: SNIFFING OUT MS SECURITY GLITCH Dave Farber (Mar 22)