OpenVMS Security Update OpenVMS Security Update TCSEC C2 Ramp - - PDF document

SLIDE 1

1

www.compaq.com

OpenVMS Security OpenVMS Security Update Update 1M01 1M01

Helmut Ammer Helmut Ammer TCSC München TCSC München

2

www.compaq.com

Security Ratings

Security Ratings

ITSEC E3

ITSEC E3 C2 & E3 B1 update on C2 & E3 B1 update on V6 V6.2 .2

TCSEC C2 Ramp

TCSEC C2 Ramp -

• > Common

> Common Criteria Criteria

COE DII

COE DII

Current Projects:

Current Projects:

Enterprise Security Features & Projects

Enterprise Security Features & Projects

– – History History – – Per Per-

• Thread Security Profiles

Thread Security Profiles – – External Authentication External Authentication – – Authenticated COM + Infrastructure (V7.2 Authenticated COM + Infrastructure (V7.2-

• 1)

1)

Future Security

Future Security Projects Projects

Kerberos

Kerberos for VMS for VMS

Agenda Agenda

3

www.compaq.com

Security Ratings Security Ratings

Security Testing Procedures

Security Testing Procedures

Current Ratings Status

Current Ratings Status

TCSEC

TCSEC

ITSEC

ITSEC

Common Criteria

Common Criteria

New Ratings

New Ratings

DII COE

DII COE

4

www.compaq.com

OpenVMS Security Testing OpenVMS Security Testing

Independent of a rating, the OpenVMS security

Independent of a rating, the OpenVMS security testing procedure is as follows testing procedure is as follows

All new functionality/changes is documented

All new functionality/changes is documented

Each one is reviewed for impact to the security

Each one is reviewed for impact to the security model model

Tests are created to assure security relevant

Tests are created to assure security relevant changes behave as documented changes behave as documented

Each release must successfully complete the

Each release must successfully complete the Security Test Suite before it is released. Security Test Suite before it is released.

5

www.compaq.com

OpenVMS TCSEC Security Ratings OpenVMS TCSEC Security Ratings

C2 for OpenVMS VAX and Alpha V6.1

C2 for OpenVMS VAX and Alpha V6.1

B1 for SEVMS VAX and Alpha V6.1

B1 for SEVMS VAX and Alpha V6.1

6

www.compaq.com

ITSEC Security Rating ITSEC Security Rating

ITSEC Security Ratings “in progress”

ITSEC Security Ratings “in progress”

– – ITSEC E3/F ITSEC E3/F-

• B1 SEVMS (with B3 claims)

B1 SEVMS (with B3 claims) – – ITSEC E3/F ITSEC E3/F-

• C2 VMS

C2 VMS

http://www.itsec.gov.uk/

http://www.itsec.gov.uk/

Targets: Alpha & VAX

Targets: Alpha & VAX

OpenVMS V6.2

OpenVMS V6.2-

• 1H3 & Y2K Patch Kit

1H3 & Y2K Patch Kit

SEVMS V6.2

SEVMS V6.2-

• 1H3 & Y2K Patch Kit

1H3 & Y2K Patch Kit

SLIDE 2

2

7

www.compaq.com

OpenVMS OpenVMS Future Security Ratings Future Security Ratings

TCSEC/RAMP

TCSEC/RAMP -

• Going Away

Going Away

OpenVMS

OpenVMS 7.1 C2 RAMP Status 7.1 C2 RAMP Status

Independent 3rd party

Independent 3rd party evaluations evaluations

CLEF (Commercially Licensed Evaluation Facility)

CLEF (Commercially Licensed Evaluation Facility)

Common Criteria

Common Criteria Profiles Profiles

– – C2? Industry Specific? C2? Industry Specific?

http://csrc.nist.gov/cc/ http://csrc.nist.gov/cc/

8

www.compaq.com

What is DII COE? What is DII COE?

The Defense Information Infrastructure Common

The Defense Information Infrastructure Common Operating Environment (DII COE) provides a Operating Environment (DII COE) provides a foundation for building open systems. It is a "plug foundation for building open systems. It is a "plug and play" open architecture designed around a and play" open architecture designed around a client/server model. client/server model. http://spider.osfl.disa.mil/cm/cm_page.html

9

www.compaq.com

Kernel components OpenVMS OpenVMS Operating System & Alpha HW Operating System & Alpha HW

System Administration Services System Administration Services Execution Manager Services Execution Manager Services Security Administration Services Security Administration Services Messaging Services Messaging Services Track Track Management Management Services Services Alert Alert Services Services

Standard (System Level) API’s

Data Data Exchange Exchange Services ServicesJ4 Geographic Geographic Information Information Services Services

Standard (Back Office) API’s

Office Admin Office Admin Multimedia Multimedia Communication Communication Workflow Workflow Network Network

Data Data Access Access Services Services Communications Communications Services Services J4 J4

DII COE 4.1.20 DII COE 4.1.20 compliant compliant OpenVMS OpenVMS

10

www.compaq.com

COE Application COE Application Level’s of Compliance Level’s of Compliance

– – 8 8 -

• Total COE compliance application does not need to

Total COE compliance application does not need to know about Platform/OS at all. know about Platform/OS at all. – – 4 4 -

• 50/50 split. COE compliance but Application needs

50/50 split. COE compliance but Application needs some system calls. (e.g. Cluster awareness) some system calls. (e.g. Cluster awareness) – – 1 1 -

• Application makes no calls to COE Modules in O/S

Application makes no calls to COE Modules in O/S but can successfully run in COE O/S environment but can successfully run in COE O/S environment – – 0 0 -

• Application breaks when running in COE compliant

Application breaks when running in COE compliant O/S environment O/S environment

11

www.compaq.com

Security MUPs Security MUPs

OpenVMS Alpha V7.2

OpenVMS Alpha V7.2

DEC

DEC-

• AXPVMS

AXPVMS-

• VMS72_SYS

VMS72_SYS-

• V0100

V0100-

• 4.PCSI

4.PCSI

DEC

DEC-

• AXPVMS

AXPVMS-

• VMS721_SYS

VMS721_SYS-

• V0100

V0100-

• 4.PCSI

4.PCSI

OpenVMS Alpha Security MUP

OpenVMS Alpha Security MUP

ALPSMUP01_070 (Versionen V6.1, V6.2 & V7.0)

ALPSMUP01_070 (Versionen V6.1, V6.2 & V7.0)

OpenVMS VAX Security MUP

OpenVMS VAX Security MUP

VAXSMUP03 (All Versions prior to V6.1)

VAXSMUP03 (All Versions prior to V6.1)

12

www.compaq.com

OpenVMS OpenVMS V7.2 & V7.2 & V7 V7.2 .2-

• 1 Projects

1 Projects

Per

Per-

• thread security

thread security

V7

V7.2 .2-

• 1 Authenticated COM

1 Authenticated COM

Future Security Projects

Future Security Projects

LDAP Client investigation Cluster Wide Intrusion Detection (A/V) Kerberos V5

– GSSAPI (Generic Security Services API)

$ACME Login CDSA (Common Data Security Architecture) IR IPSEC support

SLIDE 3

3

www.compaq.com

Security Thread Model before Security Thread Model before V7 V7.2 .2

• The current model

forces user threads to manage the security profile

• To really work the

security profile must be switched by the scheduler

• A single profile fails

with multiple threads actively using it Generic Security Profile

(ARB,PCB,JIB etc.) Thread 1 Thread 2 Thread

3

Thread 4

Security profile DATA Security profile DATA Security profile DATA Security profile DATA

Profile Execution

www.compaq.com

Per Per-

• Thread Security Profile Model

Thread Security Profile Model

• New model solves

pre-emption problem as the scheduler switches the security profile on a context switch.

• Now the operating

system takes care of the switching of profile handles when scheduling.

Security Profile 3

(PSB)

Thread 1 Thread 2 Thread

3

Thread 4

Profile Execution

Security Profile 2

(PSB)

Security Profile 1

(PSB)

www.compaq.com

Per Per-

• Thread Security: Compatibility

Thread Security: Compatibility

• PCB/ARB/JIB/PHD maintained while process

PCB/ARB/JIB/PHD maintained while process has a single user has a single user-

• mode persona

mode persona

• System services now persona aware

System services now persona aware

• SDA understands persona structures

SDA understands persona structures Backward Backward Compatibility Compatibility New New Generic Security Profile

(ARB,PCB,JIB etc.) Security Profile 2 (PSB)

16

www.compaq.com

Security in OpenVMS V7.2 Security in OpenVMS V7.2-

• 1

1

Authenticated COM

Authenticated COM

Provide necessary NT security infrastructure

Provide necessary NT security infrastructure (kernel objects, interfaces, and protocols) to (kernel objects, interfaces, and protocols) to support strategic technologies support strategic technologies

OpenVMS

OpenVMS V7 V7.2 .2-

• 1 support for:

1 support for: Secure DCOM, Secure DCOM, RPC using NTLM RPC using NTLM-

• authentication (Authenticated

authentication (Authenticated RPC), select Win32 security APIs RPC), select Win32 security APIs

OpenVMS Alpha only!

OpenVMS Alpha only!

17

www.compaq.com

NT Security Infrastructure View NT Security Infrastructure View

PWRK$LMSRV

SAM

AdvancedServer ACME_SERVER VMS ACME NT ACME SYS$ACM System Service

UAF

SSPI/NTLM System Services $PERSONA System Services RPC Win32 APIs DCOM [Cluster IPC to multiple servers] Reserved interfaces in 7.2 Win32 Low-Level Security Services

18

www.compaq.com

Future Security Projects Future Security Projects

LDAP V3 Client (Investigation Complete)

LDAP V3 Client (Investigation Complete)

Security Requirement:

Security Requirement: Kerberos Kerberos Authentication Authentication

Cluster Wide Intrusion Detection

Cluster Wide Intrusion Detection

Kerberos

Kerberos V5 Client and KDC V5 Client and KDC

GSSAPI V2

GSSAPI V2

CDSA (Common Data Security Architecture)

CDSA (Common Data Security Architecture)

IPSEC Support

IPSEC Support

SLIDE 4

4

19

www.compaq.com

Cluster Wide Intrusion Detection Cluster Wide Intrusion Detection

Intrusion Intrusion detection and detection and breakin breakin evasion is not evasion is not applied applied cluster cluster-

• wide. Intrusion detection and
• wide. Intrusion detection and breakin

breakin evasion evasion data data are volatile. are volatile.

CWID Requirements:

CWID Requirements:

Intrusion and

Intrusion and breakin breakin events will be visible events will be visible across the cluster (both VAX and Alpha) across the cluster (both VAX and Alpha)

Events from all nodes in the cluster will

Events from all nodes in the cluster will contribute to the detection and evasion contribute to the detection and evasion mechanisms mechanisms

Events must persist across system reboots

Events must persist across system reboots

Only backwards

Only backwards-

• compatible changes will be

compatible changes will be made to the SYS$INTRUSION interfaces made to the SYS$INTRUSION interfaces

20

www.compaq.com

Kerberos Kerberos VMS implementation VMS implementation

Initially a separate installable kit featuring

Initially a separate installable kit featuring

– – Support available back to V7.1 (VAX & ALPHA) Support available back to V7.1 (VAX & ALPHA) – – GSSAPI V2 GSSAPI V2 – – GUI & DCL interface GUI & DCL interface – – KDC & Client KDC & Client

Ready for Field Test in CY2000

Ready for Field Test in CY2000 For more information on For more information on Kerberos Kerberos see see http://web. http://web.mit mit. .edu edu/ /kerberos kerberos/www/ /www/

SYS$ACM Common User Authentication Interface Authentication and Credential Management (ACM) Authority OpenVMS ACM Extension NT ACM Extension Kerberos ACM Extension X.509 Public- Key ACM Extension

PATHWORKS SYSUAF.DAT

LOGINOUT

LAN Manager Server X Server Y.

OpenVMS OpenVMS Common Common User User Authentication Authentication and Credential Management Model and Credential Management Model

Native Authentication Agent External Authentication Agent

TM

The ability to have alternate external agents supported by the OpenVMS Common User Authentication Model will be in a future release.

22

www.compaq.com

ACME Login ACME Login

SYS$ACM published

SYS$ACM published

Additional

Additional Loginout Loginout image image

How to write an ACME guide.

How to write an ACME guide.

Testing and Field Test exposure.

Testing and Field Test exposure.

23

www.compaq.com

The CDSA Solution The CDSA Solution

Common Data Security Architecture (CDSA)

Security Service Modules CSSM Security API

Common Security Services Manager

Service Provider Interfaces

CDSA defines a CDSA defines a four four-

• layer architecture

layer architecture for cross for cross-

• platform,

platform, high high-

• level security services

level security services CSSM defines a CSSM defines a common API & SPI common API & SPI for security services for security services and integrity base and integrity base Service Providers Service Providers implement selectable implement selectable security services security services

Layered Security Services Applications

http://developer.intel.com/ial/security/

24

www.compaq.com

CSSM Security API CSP Manager SPI DLI CLI TPI TP Module Manager CL Module Manager DL Module Manager Security Contexts

Common Security Services Manager

EMI Elective Module Mgr EM-API Integrity Services New Category

• f Service

Applications in C and C++

CDSA Framework CDSA Framework

Service Provider Modules

Cryptographic Service Provider

Smartcard

Certificate Library Trust Policy Library Data store Data Storage Library

Remote CAs

SLIDE 5

5

25

www.compaq.com

CDSA User Benefits CDSA User Benefits

Users get consistently interoperable and usable

Users get consistently interoperable and usable security security applications applications for heterogeneous for heterogeneous environments environments

Cross

Cross-

• platform and multi

platform and multi-

• system

system

Framework Apps Services

Reduced cost and reduced risk when deploying

Reduced cost and reduced risk when deploying security solutions security solutions

Replaceable components

Replaceable components available from multiple available from multiple providers providers

26

www.compaq.com

CDSA Forges a New CDSA Forges a New US Export Model US Export Model

CSSM is called “Crypto

CSSM is called “Crypto-

• with

with-

• a hole”

a hole”

Vendors must obtain a CJ General License

Vendors must obtain a CJ General License

Based on integrity services and other framework

Based on integrity services and other framework properties properties

App

Applications and Non

Applications and Non-

• crypto

crypto Services Services

One time review, then decontrolled

One time review, then decontrolled

Based on all

Based on all crypto crypto services via CSSM services via CSSM

Does not export a cryptographic API

Does not export a cryptographic API

CSP

Cryptographic Service Provider

Cryptographic Service Provider

Requires a CJ general license or

Requires a CJ general license or ITAR license, depending on strength ITAR license, depending on strength

• f cryptographic services
• f cryptographic services

CSSM

App App

27

www.compaq.com

CDSA Adopters CDSA Adopters

28

www.compaq.com

IPSEC support IPSEC support

IPSEC as part of IPV6

IPSEC as part of IPV6

Tru64 UNIX

Tru64 UNIX -

• SSH Contract for IPSEC provider

SSH Contract for IPSEC provider

VMS to Follow same model

VMS to Follow same model

CDSA for Cryptography

CDSA for Cryptography Client/Server Client/Server Applications Applications Host/Interactive Host/Interactive Authentication Authentication Cryptography Cryptography Consumers Consumers

Future OpenVMS Security/Cryptography Map

COM, Browsers Logon, FTP, Rlogin

Common Data Security Architecture API CSSM

Cryptographic Services Provider

• RSA BSAFE

Trust Policy

• ENTRUST
• VERISIGN

Certificate Library

• RSA BCERT
• ENTRUST

Data Storage Library LDAP PKI, IPSEC $ACM Kerb ACME NT ACME VMS ACME RPC SSPI NTLM Kerb5 Run Time SSL/TLS SSP Kerb5 SSP SNEGO GSSAPI V2 SSL/TLS Run Time KEY = Public = Internal = Example SASL LDAP

GSSAPI

• ther?

30

www.compaq.com

Kerberos Kerberos for for OpenVMS OpenVMS

SLIDE 6

6

31

www.compaq.com

Keberos Keberos Agenda Agenda

What is it?

What is it?

– – A Cryptographic Authentication protocol A Cryptographic Authentication protocol

History

History

Benefit

Benefit

How it works

How it works

OpenVMS

OpenVMS Specific details Specific details

32

www.compaq.com

Kerberos Kerberos Authentication Authentication What’s in a name? What’s in a name?

Kerberos

Kerberos is from Greek Mythology and is the is from Greek Mythology and is the three headed guard dog to Hades three headed guard dog to Hades

Cerberus is the Roman spelling.

Cerberus is the Roman spelling.

Kerberos

Kerberos project History project History

Developed in 1984 at M.I.T. in Project Athena

Developed in 1984 at M.I.T. in Project Athena

Versions 1

Versions 1-

• 3 M.I.T. Internal Athena use only

3 M.I.T. Internal Athena use only

Version 4 (Available to the public) ~1988

Version 4 (Available to the public) ~1988

Version 5 (Commercial ready) ~1997

Version 5 (Commercial ready) ~1997

33

www.compaq.com

Authorization vs. Authentication Authorization vs. Authentication

A system administrator

A system administrator Authorizes Authorizes someone to use a someone to use a computer by creating them an account. computer by creating them an account.

Example: UAF> CREATE ASTRO

Example: UAF> CREATE ASTRO

The person proves that they are the authorized user

The person proves that they are the authorized user

• f the account by
• f the account by Authenticating

Authenticating themselves themselves typically with a password. typically with a password. Example: Example: Username: ASTRO Username: ASTRO PASSWORD: PASSWORD: itsadogeatdogworld itsadogeatdogworld

34

www.compaq.com

So what’s the problem? So what’s the problem?

Distributed computing forces the user to

Distributed computing forces the user to authenticate themselves to remote machines by authenticate themselves to remote machines by having their passwords travel over the network. having their passwords travel over the network.

A simple packet sniffing tool on a PC could read

A simple packet sniffing tool on a PC could read the password on it’s way to the destination system the password on it’s way to the destination system

35

www.compaq.com

So how can you solve the Remote So how can you solve the Remote Authentication problem? Authentication problem?

Solutions:

Solutions:

Standards: IPSEC (Part of the IPV6 protocol)

Standards: IPSEC (Part of the IPV6 protocol)

SSH Secure Shell

SSH Secure Shell

– – SSH server for VMS SSH server for VMS http://kcgl1. http://kcgl1.eng eng. .ohio

• hio-
• state.

state.edu edu/~JONESD/ /~JONESD/ssh ssh/DOC/ /DOC/ – – SSH client for VMS SSH client for VMS http://www.free. http://www.free.lp lp.se/fish/ .se/fish/ – – Info on Info on SSLEay SSLEay http://www.free. http://www.free.lp lp.se/ .se/openssl

• penssl/

/

Kerberos

Kerberos for for OpenVMS OpenVMS

36

www.compaq.com

How does How does Kerberos Kerberos work? work?

Authentication using cryptographic tickets. Authentication using cryptographic tickets. Client KDC Key Distribution Center TGS Ticket Granting Service Remote Host

SLIDE 7

7

37

www.compaq.com

Kerberos Kerberos Components Components

Key Components:

Key Components:

KDC (Key Distribution Center)

KDC (Key Distribution Center)

– – Grant Principle Account & Service Account Grant Principle Account & Service Account – – Administration of the Administration of the Kerberos Kerberos Users Users – – Keytab Keytab files (Securely distributed to every node) files (Securely distributed to every node)

TGT (Ticket Granting Ticket)

TGT (Ticket Granting Ticket)

TGS (Ticket Granting Service)

TGS (Ticket Granting Service)

Valid account on the Remote Host

Valid account on the Remote Host Client (HOST1) Login:ODIE Password: $ A sample Kerberos Authentication Walkthrough KDC (HOST2)

TGS

Remote Server (Host3) TGT Request 2

KDB ODIE: Password1 TGS: Password2 host: Password3

JSMITH@host1 time [SID1] JSMITH@host1 time [SID1]

PWD1 PWD2 KINIT

JSMITH@host1 time [SID1] JSMITH@host1 time [SID1] encrypt encrypt

4

Password:

JSMITH@host1 time RLOGIN JSMITH@host1 time [SID1]

1

encrypt decrypted encrypt encrypt

3 TGS Request Encrypted TGT

JSMITH@host1 time RLOGIN JSMITH@host1 time [SID1]

SID1 PWD2 Encrypted SRT

[SID1] Created

$ SET HOST /RLOGIN /AUTHENTICATE HOST3

JSMITH@host1 time RLOGIN PASSWORD3 [SID2]

[SID2] Created

PWD3 SID1 PWD2 SID1 PWD3 SID2 PWD3 HOST3>

communications

Authenticated! www.compaq.com

40

www.compaq.com

VMS GUI User Features VMS GUI User Features

41

www.compaq.com

VMS GUI KDC VMS GUI KDC