IP: ANOTHER ROLE FOR GUIDs, WAS: SNIFFING OUT MS SECURITY GLITCH

[Dave Farber <farber () cis upenn edu>]

> Date: Mon, 22 Mar 99 15:20:39 PST
> From: "Willis H. Ware" <willis () rand org>
>
> Dave:
>
> Apropos of your recent submissions on GUIDs.... let me sow some seeds and
> see if I can attract the interests of the research community and perhaps
> your graduate students.
>
> One of the info-security issues that I plug from time to time [*] concerns
> the situation in which two (or more) computer systems, previously unknown
> to one another, connect for a legitimate purpose and must decide before
> opening the connection what each is allowed to access and/or interchange
> with the other, and/or what processes may be requested to run on the other.
>
> Good security demands that two systems wishing to connect must initially
> consider the other as untrusted.  So to speak, the bona fides must be
> mutually established before things flow between them.  One way would be a
> standard "exchange protocol" in the spirit of handshaking in cryptographic
> procedures, but more elaborate as circumstance might require.  Decisions
> about specific objects (e.g., data) might be made at the beginning for the
> duration of the interaction, or they might be made dynamically as the
> interaction progresses.
>
> That's an attribute of the future that has been little addressed in infosec
> R&D; it can be thought of as a super-elaboration of the access-control
> problem as we have always thought about it.
>
> In part, such an issue will be driven by databases which contain
> everything-but-everything in the record -- so-to-speak, dossier-level
> databases.  When queried, only that part of the record pertinent to the
> query should be released.  Hence, the issue has a relationship to privacy
> as commonly characterized in the Fair Code of Information Practices. It is a
> potential privacy infraction to dump an entire record in response to any
> query that happens along.
>
> When this situation arises in the national security world, it has been
> accommodated on the basis of the categorization of information inherent in
> that world; e.g., system-A is authorized to exchange with any other system
> (say) SECRET information, types 1, 2, and 3; or A and B can exchange any
> encrypted material for which they have a common cryptographic key. Such a
> solution of course is static and in effect, a procedural one.
>
> There is of course the side issue of "how does the other system know that A
> is telling the truth", but this is a collateral concern that enlarges the
> discussion beyond where I want to go for the moment; mutual authentication
> at many levels of the software architecture, especially in the context of
> network connectivity, is another topic.
>
> When the situation arises in the corporate world, it can often be handled
> with pre-arrangements; e.g., system-A is entitled to receive (i.e., access)
> anything categorized by some prescribed label, (say) "accounting data".
>
> In any given case, we can conjure up a solution; but a general solution is
> needed to handle the fully networked future that everybody is busily
> projecting and building.  In it, connectivity among computer systems will
> be ad hoc, in the same sense that telephony connections are; e.g., any
> system can, in principle, connect to any other system and wish to have an
> electronic conversation with it. "Electronic conversation" can mean
> requesting a file, requesting an answer to a query, asking for some process
> to be run (on the distant machine), interactively relate to the other
> machine, etc.
>
> All of those things are going on today in Web interactions which however
> are generally conducted on the basis of wide-open access for the purposes
> of reading electronic materials, AND on the basis that any process
> requested (e.g., a search) has a priori been authorized as appropriate to
> run any time requested AND on the basis that everything is of uniform
> sensitivity.
>
> I suggest that the future is likely to be different as things of different
> sensitivity are offered to a network for remote access, as distributed
> computing becomes more commonplace in enterprise environments, as arbitrary
> "dial-up" among systems takes place on the basis of needs as they arise.
> Today the operational solutions generally are static arrangements for
> interconnectivity; e.g., a super-market cash register has a standing
> connection to a check-verification service.  But in a coming future, for
> example, on each occasion of use, a process in system-A will be "told" in
> which other systems the data for the moment resides.  In principle the data
> sources could be systems to which system-A had never before connected and
> they need not be in the same political jurisdiction.  Moreover, the
> locations of the data might emerge dynamically as the process operates.
>
> It occurs to me that GUIDs or some variation on the construct could support
> the inter-netted future security issue of "what am I allowed to tell you"
> and/or "what am I allowed to do for you."
>
> To be sure, one has to be concerned that different systems could easily
> generate the same string sequence for a GUID and therefore, make confusion
> possible; but that can be accommodated.  For example, the world knows how
> to handle ISBNs without duplicating them from book to book, the electronic
> world is quite adept at handling IP-addresses by juxtaposing strings of
> digits (or characters) with separator symbols into an overall address
> (known as the Dewey Decimal System in a library incarnation), web sites are
> adept at managing the pointers that allow one to navigate around their data
> structures.
>
> It is clear, I submit, that the "mutually allowed interchange" problem will
> not be solved in isolation.  It will almost certainly be combined with
> digital signatures, various authentication procedures, et al.  In fact,
> such global IDs might well be combined with the "digital notary public"
> and/or the "digital time stamp" functionality.  Thus, I would conjecture
> that GUIDs -- not the ones that are generated by commercial software of
> today but some variant of them functioning in a co-ordinated environment --
> are going to become markedly more common in the future not only for
> documents, but for software, for entire software processes, for data
> structures and for combinations of all of these.
>
> [*] SEE, for instance my document "Cyberposture of the National Information
> Infrastructure" at: www.rand.org/publications/MR/MR976/mr976.html
>
>                                        Willis H. Ware
>                                        RAND  Santa Monica, CA