integrity for activated content data integrity in an active content system active middleware...
TRANSCRIPT
Integrity for Activated Content
Data Integrity in an Active Content System
Active Middleware WorkshopHilarie Orman
Volera, Inc.August 6, 2001
Trends in Web Content Activity
¯ Complex pages¯ Multiple business interests ¯ Mechanisms
¯ Server side includes¯ Edge Side includes¯ Ad hoc markers¯ URL naming tricks
¯ Efficiency Issue¯ Minimize traffic, maximize cacheability
Data Integrity: It all depends
¯ Traditional Model¯ Header, some fields immutable¯ Content, immutable modulo accidents
¯ IP packets¯ Packets might get to their destination but shouldn’t
be ‘delivered’ anyplace else¯ Security was TBD and emerged in IPsec¯ Awkward and slow standardization
¯ Anything else ‘End-to-End’
Basic Page Options
¯ Prevailing semantic: ‘put a picture here’
<HTML>
<BODY>
<H1>DOGTOWN NEWS</H1>
<HEADLINE>Dog Days</HEADLINE>
<BYLINE>Fidelius Canine</BYLINE>
<REGIONAL_AD h=640 w=480>
<STORY>….</STORY>
DOGTOWN NEWS
Dog Days
Fidelius Canine
A noontime high of 100 has local residents remembering the dog days of 1894, when temperatures were pegged at over the century mark for 45 consecutive days.
SALE atFIDO FOODSBeef Dinners
65 centsall week
The OPES Data Flow
ContentContentTransformationsTransformations
CACHE
Rule Engine
A Caching Proxy
Client Requests Server Requests
Server ResponseClient Response
AdministrativeController
Client ServerRequest
ReplyF(req)=
G(rep)=
ProxyRequest
Reply
ProxyComputed
Reply
RequestData
F(req)=
G(rep)=
Proxy Request
Reply
ContentAdaptation
ContentTransducer
ReplyData
Complex Content Compositionand Validation
Content andModificationDescriptions“insert ad”“wap transcoder”“refresh 10 min”
Original Content Modified Content Recipient Ponders Integrity
Hash-based Editing
¯ Document has a part index and content¯ Index summarizes document by hash of each
“part”¯ Each part index entry has editing permissions¯ Modification audit trail achieved by attaching
‘verifier’ for each editing action¯ Recipient verifies the message by comparing
the received message to the action list
Signatures for Original and Modified Content
gx+ry mod q
Goals of Active Data Integrity¯ Publisher defines document and modification
permissions¯ Delegates can modify the document¯ Anyone can validate the modified document
¯ Document can be cached anywhere¯ Even with partial modifications
¯ Recipient can delegate modifications on his behalf
¯ Recipient can validate document
The Verifiable Editing Language
¯ Delete¯ Add¯ Replaces
¯ (Delete and Add)
¯ Delegate¯ If-Else, Select¯ Boolean combinations¯ Replicate¯ Append
¯ Refresh¯ Permute¯ Cache control¯ ‘Exec’¯ Enduser Policy¯ Enforcement
delegation
Message Structure
¯ Publisher’s index of content and permissions
¯ Signature of Publisher on index
¯ Editor’s indices of actions, delegations
¯ Signature of each editor on own index
¯ Optional intermediate validation signatures (“this message was valid when at ibm.com”)
Example: delete¯ Index:
¯ Part1, hash value = xxx, none¯ Part 2, hash value = yyy, delete¯ Part 3, hash value =zzz, none
¯ Content:¯ This is part 1¯ This is part 2¯ This is part 3
¯ Signature { hash(Index)=¯ AAA}
¯ Index: ¯ Part1, hash value = xxx, none¯ Part 2, hash value = yyy, delete¯ Part 3, hash value =zzz, none
¯ Content:¯ This is part 1¯ This is part 3
¯ Signature {aaa}¯ Delete Signature {AAA,
part2, delete}¯ Verify Index Sig
¯ hash(part 1) = xxx¯ hash(part 2) = zzz
Example: replace¯ Index:
¯ Part1, hash value = xxx, none¯ Part 2, hash value = yyy,
replace¯ Part 3, hash value =zzz, none
¯ Content:¯ This is part 1¯ This is part 2¯ This is part 3
¯ Signature { hash(Index)=¯ AAA}
¯ Index: ¯ Part1, hash value = xxx, none¯ Part 2, hash value = yyy, delete¯ Part 3, hash value =zzz, none
¯ Content:¯ This is part 1¯ This is the new part 2¯ This is part 3
¯ Signature {aaa}¯ Replacer’s Signature {AAA, part2,
replace, hash=ddd}¯ Verify Index Sig on AAA
¯ hash(part 1) = xxx¯ hash(part 2) = zzz
¯ Verify hash(part2)=ddd¯ Verify Replacer’s Sig
Modification Index
Group 3 Parts Part 5: hash = bbb Permission Replace Type = gif Size < 20Kb Subject = *.all_languages.com Signature = dddd
Index Signature = eeee
Index Group 1 Parts Part 1: hash = xxx Part 2: hash = yyy Part 4: hash = zzz Permission none Signature = xxx Group 2 Parts Part 3: hash = aaaa Permission Delete Subject = JohnDDoe Signature = cccc
ContentPart 1This is merely textfor the heading
Part 2Start of the storyand byline
Part 3<REGIONAL_AD>
Part 4Continuing onwardour fearless hero ...
Part 5ALERT: SPECIAL
Document
Basis for Content Descriptors
¯ XML-Signature Syntax and Processing¯ W3C Candidate Recommendation 19-April-
2001¯ http://www.w3.org/TR/xmldsig-core/
Standards: Simple XML Example (Signature, SignedInfo, Methods, and References)
¯ [s01] <Signature Id="MyFirstSignature” xmlns="http://www.w3.org/2000/09/xmldsig#">
¯ [s02] <SignedInfo>¯ [s03] <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-
xml-c14n-20010315"/>
¯ [s04] <SignatureMethod
¯ Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
¯ [s05] <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
¯ [s11] </Reference>
¯ [s12] </SignedInfo>
¯ [s13] <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
A Reference and Digest
¯ Reference ¯ URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/">
¯ Transforms {¯ Transform Algorithm="http://www.w3.org/TR/2001/REC-
xml-c14n-20010315"/ }¯ DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> DigestValue j6lwx3rvEPO0vKtMup4NbeVu8nk=
[s01] <Signature Id="MyFirstSignature” xmlns="http://www.w3.org/2000/09/xmldsig#">
[s02] <SignedInfo>
[s03] <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
[s04] <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
[s05] <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> [s06] <Transforms>
[s07] <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
[s08] </Transforms>
[s09] <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
[s10] <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
[s11] </Reference>
[s12] </SignedInfo>
[s13] <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue>
[s14] <KeyInfo>
[s15a] <KeyValue>
[s15b] <DSAKeyValue>
[s15c] <P>...</P><Q>...</Q><G>...</G><Y>...</Y> [s15d] </DSAKeyValue>
[s15e] </KeyValue> [s16] </KeyInfo>
[s17] </Signature>
Trust Model for Mutable Content¯ Subjects: Author, Editors, Enduser Delegates¯ Objects: Content and content subparts¯ Author (aka Publisher) creates
¯ Content¯ Modification Policy¯ Signature on Entirety
¯ Modification policy based on content structure¯ Non-modifiable parts require separate signature
¯ Content modifiers (e.g. OPES)¯ Append signed actions to message¯ Change original message
¯ Recipient validates content wrt index, mods
Modification Permissions¯ Delete¯ Replace
¯ Restrictions:¯ Content type¯ Size¯ URL
¯ Append/Prepend¯ Restrictions: same type; size
¯ Delegate (monotonicity)¯ Allowable subjects
¯ Execute
Modification Index
¯ Part identifier¯ Reference or¯ Digest
¯ Action pairs¯ Subjects
¯ Namespace, name¯ Public key¯ Cert
¯ Privilege
¯ Limitations
Modifier’s Actions
¯ Entity performing the modification must sign a modification notification:
¯ Original message’s index hash¯ Modification index entry¯ Modifier’s ID¯ Hash of new value (none if Delete)
¯ Example: Reference 5, Delete¯ Modifier removes part 5 from message body¯ Modification manifest unchanged¯ Modifier attaches notification to message
Recipient Validation
¯ Optional¯ Get message index¯ Valid each part against permission and
signature¯ Simple case: Delete
¯ Author name and signature
¯ Modifier case: check permission subject and modifier signature
¯ Complex case: follow delegation chain
Dynamic Content
¯ New permission: refresh¯ Applies only to a message part
¯ Included content, not referenced
¯ Permission can require both modifier and location identifier
¯ Stockquotes: only from Nasdaq.com¯ User profile info: refresh every 30 minutes¯ Etc.
Conditional Modificationscf: Edge Side Includes, www.edge-side.com
¯ Simple conditionals¯ If URL ; URL can be fetched without error¯ Else
¯ Another URL¯ Endif
¯ Modification Index¯ Part reference for embedded conditional¯ Subreferences for options
¯ Modifier signs reference and selection¯ Removes embedded conditional¯ Inserts selected option (e.g. URL)¯ Signs Notification including hash of selection
Authenticated Includes
¯ Signed message¯ { If URL else Other_URL by cdn.cnn.com }¯ Signature¯ Appended data:¯ { Original message hash, byte offset of
¯ { If URL else Other_URL by cdn.cnn.com }
¯ Signature of cdn.cnn.com }
Dynamic and Active Content
¯ A distributed computing model¯ Definition of end-to-end integrity¯ Allows complex content composition¯ Merges local and remote concepts¯ Based on known technologies
Active Content
¯ Permission type: execute¯ Additional parameters: locality
¯ “who” can execute it, “where” they are
¯ Arguments: message parts and environment info
¯ Output replaces the message part¯ Notification same as ‘replace’
¯ but includes ‘location’ signature over message hash, part hash, output
Executable Content
¯ Two parts¯ Input¯ Program
¯ Modifier certifies to performing the replacement,
¯ Execution agent certifies to executing the program on the content
¯ Output replaces the message part
Further Delegation
¯ Modification Index may be extended by message editors
¯ Add ModIndex part¯ Sign Original Message (hash = AAA)¯ and Hash of New ModIndex
¯ Their permissions cannot exceed permissions granted to them
¯ ‘Downstream’ recipients must verify permissions before exercising delegation
Modifications based on Recipient Policy
¯ Recipient policies¯ Content type, size, origin, freshness, price¯ Delegates modification rights
¯ Delete, replace, select, translate, etc.¯ “Delete *.badplace.com/*.gif”¯ “Translate *.ru content-type/text to English” ¯ Redelegation to partner ISP, for example
¯ Might ban certain content parts¯ “Never”, “always”
Rights Delegated from Recipients¯ Enterprise policy, ISP service¯ Generic policy delegation¯ Enduser -> ISP,
¯ http, content-type/html, delete *.badstuff.com/*.gif¯ enduser signs hash of policy¯ Might result in deletion of entire message part
¯ ISP would delete part and add signed addendum¯ includes hash of policy authorizing the action
¯ NB: No request integrity definition
Complex Policy
¯ Reordering¯ Restrictions (“not valid in Indiana”)¯ If part 4 is deleted then add a delegation to modify
part 7¯ Refresh times, parameters¯ Reuse of individual parts
¯ “over 18 only”¯ “3 uses only”
¯ Billing¯ Audit
Policy Resolution
¯ Publisher: do not delete¯ Enduser: delete this junk¯ Enduser delegate: delete or not?
¯ SLA’s with publishers¯ SLA’s with publisher agents (CDN’s)¯ Contract with endusers
¯ SEP (Douglas Adams)
msg, policy Data Integrity(m,p)
¯ Even for complex composition systems, there is a verifiably meaning to data integrity
¯ Overhead appears tolerable¯ Caching is enhanced¯ Scalable, layer 6 policy and mechanisms¯ Consistent with emerging standards