1 / 36

Integrity for Activated Content

This workshop explores strategies for ensuring data integrity in an active content system, with a focus on caching, content composition, and validation. Topics include URL naming tricks, cacheability, and security considerations.

Download Presentation

Integrity for Activated Content

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Integrity for Activated Content Data Integrity in an Active Content System Active Middleware Workshop Hilarie Orman Volera, Inc. August 6, 2001

  2. Complex pages Multiple business interests Mechanisms Server side includes Edge Side includes Ad hoc markers URL naming tricks Efficiency Issue Minimize traffic, maximize cacheability Trends in Web Content Activity

  3. Traditional Model Header, some fields immutable Content, immutable modulo accidents IP packets Packets might get to their destination but shouldn’t be ‘delivered’ anyplace else Security was TBD and emerged in IPsec Awkward and slow standardization Anything else ‘End-to-End’ Data Integrity: It all depends

  4. Prevailing semantic: ‘put a picture here’ Basic Page Options DOGTOWN NEWS Dog Days Fidelius Canine A noontime high of 100 has local residents remembering the dog days of 1894, when temperatures were pegged at over the century mark for 45 consecutive days. <HTML> <BODY> <H1>DOGTOWN NEWS</H1> <HEADLINE>Dog Days</HEADLINE> <BYLINE>Fidelius Canine</BYLINE> <REGIONAL_AD h=640 w=480> <STORY>….</STORY> SALE at FIDO FOODS Beef Dinners 65 cents all week

  5. The OPES Data Flow Content Transformations Client Requests CACHE Server Requests Client Response Server Response Rule Engine A Caching Proxy Administrative Controller

  6. Request Data Client Proxy Proxy Request Server Request Request F(req)= G(rep)= F(req)= G(rep)= Reply Reply Reply Proxy Computed Reply Reply Data Content Adaptation Content Transducer

  7. Complex Content Compositionand Validation Content and Modification Descriptions “insert ad” “wap transcoder” “refresh 10 min” Recipient Ponders Integrity Original Content Modified Content

  8. Document has a part index and content Index summarizes document by hash of each “part” Each part index entry has editing permissions Modification audit trail achieved by attaching ‘verifier’ for each editing action Recipient verifies the message by comparing the received message to the action list Hash-based Editing

  9. Signatures for Original and Modified Content gx+ry mod q

  10. Publisher defines document and modification permissions Delegates can modify the document Anyone can validate the modified document Document can be cached anywhere Even with partial modifications Recipient can delegate modifications on his behalf Recipient can validate document Goals of Active Data Integrity

  11. Delete Add Replaces (Delete and Add) Delegate If-Else, Select Boolean combinations Replicate Append The Verifiable Editing Language • Refresh • Permute • Cache control • ‘Exec’ • Enduser Policy • Enforcement delegation

  12. Publisher’s index of content and permissions Signature of Publisher on index Editor’s indices of actions, delegations Signature of each editor on own index Optional intermediate validation signatures (“this message was valid when at ibm.com”) Message Structure

  13. Index: Part1, hash value = xxx, none Part 2, hash value = yyy, delete Part 3, hash value =zzz, none Content: This is part 1 This is part 2 This is part 3 Signature { hash(Index)= AAA} Example: delete • Index: • Part1, hash value = xxx, none • Part 2, hash value = yyy, delete • Part 3, hash value =zzz, none • Content: • This is part 1 • This is part 3 • Signature {aaa} • Delete Signature {AAA, part2, delete} • Verify Index Sig • hash(part 1) = xxx • hash(part 2) = zzz

  14. Example: replace • Index: • Part1, hash value = xxx, none • Part 2, hash value = yyy, replace • Part 3, hash value =zzz, none • Content: • This is part 1 • This is part 2 • This is part 3 • Signature { hash(Index)= • AAA} • Index: • Part1, hash value = xxx, none • Part 2, hash value = yyy, delete • Part 3, hash value =zzz, none • Content: • This is part 1 • This is the new part 2 • This is part 3 • Signature {aaa} • Replacer’s Signature {AAA, part2, replace, hash=ddd} • Verify Index Sig on AAA • hash(part 1) = xxx • hash(part 2) = zzz • Verify hash(part2)=ddd • Verify Replacer’s Sig

  15. Modification Index Document Content Part 1 This is merely text for the heading Index Group 1 Parts Part 1: hash = xxx Part 2: hash = yyy Part 4: hash = zzz Permission none Signature = xxx Group 2 Parts Part 3: hash = aaaa Permission Delete Subject = JohnDDoe Signature = cccc Group 3 Parts Part 5: hash = bbb Permission Replace Type = gif Size < 20Kb Subject = *.all_languages.com Signature = dddd Index Signature = eeee Part 2 Start of the story and byline Part 3 <REGIONAL_AD> Part 4 Continuing onward our fearless hero ... Part 5 ALERT: SPECIAL

  16. XML-Signature Syntax and Processing W3C Candidate Recommendation 19-April-2001 http://www.w3.org/TR/xmldsig-core/ Basis for Content Descriptors

  17. [s01] <Signature Id="MyFirstSignature” xmlns="http://www.w3.org/2000/09/xmldsig#"> [s02] <SignedInfo> [s03] <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> [s04] <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> [s05] <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> [s11] </Reference> [s12] </SignedInfo> [s13] <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> Standards: Simple XML Example (Signature, SignedInfo, Methods, and References)

  18. Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> Transforms { Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/ } DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> DigestValue j6lwx3rvEPO0vKtMup4NbeVu8nk= A Reference and Digest

  19. [s01] <Signature Id="MyFirstSignature” xmlns="http://www.w3.org/2000/09/xmldsig#"> [s02] <SignedInfo> [s03] <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> [s04] <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> [s05] <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> [s06] <Transforms> [s07] <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> [s08] </Transforms> [s09] <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> [s10] <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> [s11] </Reference> [s12] </SignedInfo> [s13] <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> [s14] <KeyInfo> [s15a] <KeyValue> [s15b] <DSAKeyValue> [s15c] <P>...</P><Q>...</Q><G>...</G><Y>...</Y> [s15d] </DSAKeyValue> [s15e] </KeyValue> [s16] </KeyInfo> [s17] </Signature>

  20. Subjects: Author, Editors, Enduser Delegates Objects: Content and content subparts Author (aka Publisher) creates Content Modification Policy Signature on Entirety Modification policy based on content structure Non-modifiable parts require separate signature Content modifiers (e.g. OPES) Append signed actions to message Change original message Recipient validates content wrt index, mods Trust Model for Mutable Content

  21. Delete Replace Restrictions: Content type Size URL Append/Prepend Restrictions: same type; size Delegate (monotonicity) Allowable subjects Execute Modification Permissions

  22. Part identifier Reference or Digest Action pairs Subjects Namespace, name Public key Cert Privilege Limitations Modification Index

  23. Entity performing the modification must sign a modification notification: Original message’s index hash Modification index entry Modifier’s ID Hash of new value (none if Delete) Example: Reference 5, Delete Modifier removes part 5 from message body Modification manifest unchanged Modifier attaches notification to message Modifier’s Actions

  24. Optional Get message index Valid each part against permission and signature Simple case: Delete Author name and signature Modifier case: check permission subject and modifier signature Complex case: follow delegation chain Recipient Validation

  25. New permission: refresh Applies only to a message part Included content, not referenced Permission can require both modifier and location identifier Stockquotes: only from Nasdaq.com User profile info: refresh every 30 minutes Etc. Dynamic Content

  26. Simple conditionals If URL ; URL can be fetched without error Else Another URL Endif Modification Index Part reference for embedded conditional Subreferences for options Modifier signs reference and selection Removes embedded conditional Inserts selected option (e.g. URL) Signs Notification including hash of selection Conditional Modifications cf: Edge Side Includes, www.edge-side.com

  27. Signed message { If URL else Other_URL by cdn.cnn.com } Signature Appended data: { Original message hash, byte offset of { If URL else Other_URL by cdn.cnn.com } Signature of cdn.cnn.com } Authenticated Includes

  28. A distributed computing model Definition of end-to-end integrity Allows complex content composition Merges local and remote concepts Based on known technologies Dynamic and Active Content

  29. Permission type: execute Additional parameters: locality “who” can execute it, “where” they are Arguments: message parts and environment info Output replaces the message part Notification same as ‘replace’ but includes ‘location’ signature over message hash, part hash, output Active Content

  30. Two parts Input Program Modifier certifies to performing the replacement, Execution agent certifies to executing the program on the content Output replaces the message part Executable Content

  31. Modification Index may be extended by message editors Add ModIndex part Sign Original Message (hash = AAA) and Hash of New ModIndex Their permissions cannot exceed permissions granted to them ‘Downstream’ recipients must verify permissions before exercising delegation Further Delegation

  32. Recipient policies Content type, size, origin, freshness, price Delegates modification rights Delete, replace, select, translate, etc. “Delete *.badplace.com/*.gif” “Translate *.ru content-type/text to English” Redelegation to partner ISP, for example Might ban certain content parts “Never”, “always” Modifications based on Recipient Policy

  33. Enterprise policy, ISP service Generic policy delegation Enduser -> ISP, http, content-type/html, delete *.badstuff.com/*.gif enduser signs hash of policy Might result in deletion of entire message part ISP would delete part and add signed addendum includes hash of policy authorizing the action NB: No request integrity definition Rights Delegated from Recipients

  34. Reordering Restrictions (“not valid in Indiana”) If part 4 is deleted then add a delegation to modify part 7 Refresh times, parameters Reuse of individual parts “over 18 only” “3 uses only” Billing Audit Complex Policy

  35. Publisher: do not delete Enduser: delete this junk Enduser delegate: delete or not? SLA’s with publishers SLA’s with publisher agents (CDN’s) Contract with endusers SEP (Douglas Adams) Policy Resolution

  36. Even for complex composition systems, there is a verifiably meaning to data integrity Overhead appears tolerable Caching is enhanced Scalable, layer 6 policy and mechanisms Consistent with emerging standards  msg, policy Data Integrity(m,p)

More Related