IP: ANOTHER ROLE FOR GUIDs, WAS: SNIFFING OUT MS SECURITY GLITCH

[Dave Farber <farber@cis.upenn.edu>]

>
>Date: Mon, 22 Mar 99 15:20:39 PST
>From: "Willis H. Ware" <willis@rand.org>
>
>Dave:
>
>Apropos of your recent submissions on GUIDs.... let me sow some seeds and
>see if I can attract the interests of the research community and perhaps
>your graduate students.
>
>One of the info-security issues that I plug from time to time [*] concerns
>the situation in which two (or more) computer systems, previously unknown
>to one another, connect for a legitimate purpose and must decide before
>opening the connection what each is allowed to access and/or interchange
>with the other, and/or what processes may be requested to run on the other.
>
>Good security demands that two systems wishing to connect must initially
>consider the other as untrusted.  So to speak, the bona fides must be
>mutually established before things flow between them.  One way would be a
>standard "exchange protocol" in the spirit of handshaking in cryptographic
>procedures, but more elaborate as circumstance might require.  Decisions
>about specific objects (e.g., data) might be made at the beginning for the
>duration of the interaction, or they might be made dynamically as the
>interaction progresses.
>
>That's an attribute of the future that has been little addressed in infosec
>R&D; it can be thought of as a super-elaboration of the access-control
>problem as we have always thought about it.
>
>In part, such an issue will be driven by databases which contain
>everything-but-everything in the record -- so-to-speak, dossier-level
>databases.  When queried, only that part of the record pertinent to the
>query should be released.  Hence, the issue has a relationship to privacy
>as commonly characterized in the Fair Code of Information Practices. It is a
>potential privacy infraction to dump an entire record in response to any
>query that happens along.
>
>When this situation arises in the national security world, it has been
>accommodated on the basis of the categorization of information inherent in
>that world; e.g., system-A is authorized to exchange with any other system
>(say) SECRET information, types 1, 2, and 3; or A and B can exchange any
>encrypted material for which they have a common cryptographic key. Such a
>solution of course is static and in effect, a procedural one.
>
>There is of course the side issue of "how does the other system know that A
>is telling the truth", but this is a collateral concern that enlarges the
>discussion beyond where I want to go for the moment; mutual authentication
>at many levels of the software architecture, especially in the context of
>network connectivity, is another topic.
>
>When the situation arises in the corporate world, it can often be handled
>with pre-arrangements; e.g., system-A is entitled to receive (i.e., access)
>anything categorized by some prescribed label, (say) "accounting data".
>
>In any given case, we can conjure up a solution; but a general solution is
>needed to handle the fully networked future that everybody is busily
>projecting and building.  In it, connectivity among computer systems will
>be ad hoc, in the same sense that telephony connections are; e.g., any
>system can, in principle, connect to any other system and wish to have an
>electronic conversation with it. "Electronic conversation" can mean
>requesting a file, requesting an answer to a query, asking for some process
>to be run (on the distant machine), interactively relate to the other
>machine, etc.
>
>All of those things are going on today in Web interactions which however
>are generally conducted on the basis of wide-open access for the purposes
>of reading electronic materials, AND on the basis that any process
>requested (e.g., a search) has a priori been authorized as appropriate to
>run any time requested AND on the basis that everything is of uniform
>sensitivity.
>
>I suggest that the future is likely to be different as things of different
>sensitivity are offered to a network for remote access, as distributed
>computing becomes more commonplace in enterprise environments, as arbitrary
>"dial-up" among systems takes place on the basis of needs as they arise.
>Today the operational solutions generally are static arrangements for
>interconnectivity; e.g., a super-market cash register has a standing
>connection to a check-verification service.  But in a coming future, for
>example, on each occasion of use, a process in system-A will be "told" in
>which other systems the data for the moment resides.  In principle the data
>sources could be systems to which system-A had never before connected and
>they need not be in the same political jurisdiction.  Moreover, the
>locations of the data might emerge dynamically as the process operates.
>
>It occurs to me that GUIDs or some variation on the construct could support
>the inter-netted future security issue of "what am I allowed to tell you"
>and/or "what am I allowed to do for you."
>
>To be sure, one has to be concerned that different systems could easily
>generate the same string sequence for a GUID and therefore, make confusion
>possible; but that can be accommodated.  For example, the world knows how
>to handle ISBNs without duplicating them from book to book, the electronic
>world is quite adept at handling IP-addresses by juxtaposing strings of
>digits (or characters) with separator symbols into an overall address
>(known as the Dewey Decimal System in a library incarnation), web sites are
>adept at managing the pointers that allow one to navigate around their data
>structures.
>
>It is clear, I submit, that the "mutually allowed interchange" problem will
>not be solved in isolation.  It will almost certainly be combined with
>digital signatures, various authentication procedures, et al.  In fact,
>such global IDs might well be combined with the "digital notary public"
>and/or the "digital time stamp" functionality.  Thus, I would conjecture
>that GUIDs -- not the ones that are generated by commercial software of
>today but some variant of them functioning in a co-ordinated environment --
>are going to become markedly more common in the future not only for
>documents, but for software, for entire software processes, for data
>structures and for combinations of all of these.
>
>[*] SEE, for instance my document "Cyberposture of the National Information
>Infrastructure" at: www.rand.org/publications/MR/MR976/mr976.html
>
>                                        Willis H. Ware
>                                        RAND  Santa Monica, CA