360 likes | 370 Views
This workshop explores strategies for ensuring data integrity in an active content system, with a focus on caching, content composition, and validation. Topics include URL naming tricks, cacheability, and security considerations.
E N D
Integrity for Activated Content Data Integrity in an Active Content System Active Middleware Workshop Hilarie Orman Volera, Inc. August 6, 2001
Complex pages Multiple business interests Mechanisms Server side includes Edge Side includes Ad hoc markers URL naming tricks Efficiency Issue Minimize traffic, maximize cacheability Trends in Web Content Activity
Traditional Model Header, some fields immutable Content, immutable modulo accidents IP packets Packets might get to their destination but shouldn’t be ‘delivered’ anyplace else Security was TBD and emerged in IPsec Awkward and slow standardization Anything else ‘End-to-End’ Data Integrity: It all depends
Prevailing semantic: ‘put a picture here’ Basic Page Options DOGTOWN NEWS Dog Days Fidelius Canine A noontime high of 100 has local residents remembering the dog days of 1894, when temperatures were pegged at over the century mark for 45 consecutive days. <HTML> <BODY> <H1>DOGTOWN NEWS</H1> <HEADLINE>Dog Days</HEADLINE> <BYLINE>Fidelius Canine</BYLINE> <REGIONAL_AD h=640 w=480> <STORY>….</STORY> SALE at FIDO FOODS Beef Dinners 65 cents all week
The OPES Data Flow Content Transformations Client Requests CACHE Server Requests Client Response Server Response Rule Engine A Caching Proxy Administrative Controller
Request Data Client Proxy Proxy Request Server Request Request F(req)= G(rep)= F(req)= G(rep)= Reply Reply Reply Proxy Computed Reply Reply Data Content Adaptation Content Transducer
Complex Content Compositionand Validation Content and Modification Descriptions “insert ad” “wap transcoder” “refresh 10 min” Recipient Ponders Integrity Original Content Modified Content
Document has a part index and content Index summarizes document by hash of each “part” Each part index entry has editing permissions Modification audit trail achieved by attaching ‘verifier’ for each editing action Recipient verifies the message by comparing the received message to the action list Hash-based Editing
Signatures for Original and Modified Content gx+ry mod q
Publisher defines document and modification permissions Delegates can modify the document Anyone can validate the modified document Document can be cached anywhere Even with partial modifications Recipient can delegate modifications on his behalf Recipient can validate document Goals of Active Data Integrity
Delete Add Replaces (Delete and Add) Delegate If-Else, Select Boolean combinations Replicate Append The Verifiable Editing Language • Refresh • Permute • Cache control • ‘Exec’ • Enduser Policy • Enforcement delegation
Publisher’s index of content and permissions Signature of Publisher on index Editor’s indices of actions, delegations Signature of each editor on own index Optional intermediate validation signatures (“this message was valid when at ibm.com”) Message Structure
Index: Part1, hash value = xxx, none Part 2, hash value = yyy, delete Part 3, hash value =zzz, none Content: This is part 1 This is part 2 This is part 3 Signature { hash(Index)= AAA} Example: delete • Index: • Part1, hash value = xxx, none • Part 2, hash value = yyy, delete • Part 3, hash value =zzz, none • Content: • This is part 1 • This is part 3 • Signature {aaa} • Delete Signature {AAA, part2, delete} • Verify Index Sig • hash(part 1) = xxx • hash(part 2) = zzz
Example: replace • Index: • Part1, hash value = xxx, none • Part 2, hash value = yyy, replace • Part 3, hash value =zzz, none • Content: • This is part 1 • This is part 2 • This is part 3 • Signature { hash(Index)= • AAA} • Index: • Part1, hash value = xxx, none • Part 2, hash value = yyy, delete • Part 3, hash value =zzz, none • Content: • This is part 1 • This is the new part 2 • This is part 3 • Signature {aaa} • Replacer’s Signature {AAA, part2, replace, hash=ddd} • Verify Index Sig on AAA • hash(part 1) = xxx • hash(part 2) = zzz • Verify hash(part2)=ddd • Verify Replacer’s Sig
Modification Index Document Content Part 1 This is merely text for the heading Index Group 1 Parts Part 1: hash = xxx Part 2: hash = yyy Part 4: hash = zzz Permission none Signature = xxx Group 2 Parts Part 3: hash = aaaa Permission Delete Subject = JohnDDoe Signature = cccc Group 3 Parts Part 5: hash = bbb Permission Replace Type = gif Size < 20Kb Subject = *.all_languages.com Signature = dddd Index Signature = eeee Part 2 Start of the story and byline Part 3 <REGIONAL_AD> Part 4 Continuing onward our fearless hero ... Part 5 ALERT: SPECIAL
XML-Signature Syntax and Processing W3C Candidate Recommendation 19-April-2001 http://www.w3.org/TR/xmldsig-core/ Basis for Content Descriptors
[s01] <Signature Id="MyFirstSignature” xmlns="http://www.w3.org/2000/09/xmldsig#"> [s02] <SignedInfo> [s03] <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> [s04] <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> [s05] <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> [s11] </Reference> [s12] </SignedInfo> [s13] <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> Standards: Simple XML Example (Signature, SignedInfo, Methods, and References)
Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> Transforms { Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/ } DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> DigestValue j6lwx3rvEPO0vKtMup4NbeVu8nk= A Reference and Digest
[s01] <Signature Id="MyFirstSignature” xmlns="http://www.w3.org/2000/09/xmldsig#"> [s02] <SignedInfo> [s03] <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> [s04] <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> [s05] <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> [s06] <Transforms> [s07] <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> [s08] </Transforms> [s09] <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> [s10] <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> [s11] </Reference> [s12] </SignedInfo> [s13] <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> [s14] <KeyInfo> [s15a] <KeyValue> [s15b] <DSAKeyValue> [s15c] <P>...</P><Q>...</Q><G>...</G><Y>...</Y> [s15d] </DSAKeyValue> [s15e] </KeyValue> [s16] </KeyInfo> [s17] </Signature>
Subjects: Author, Editors, Enduser Delegates Objects: Content and content subparts Author (aka Publisher) creates Content Modification Policy Signature on Entirety Modification policy based on content structure Non-modifiable parts require separate signature Content modifiers (e.g. OPES) Append signed actions to message Change original message Recipient validates content wrt index, mods Trust Model for Mutable Content
Delete Replace Restrictions: Content type Size URL Append/Prepend Restrictions: same type; size Delegate (monotonicity) Allowable subjects Execute Modification Permissions
Part identifier Reference or Digest Action pairs Subjects Namespace, name Public key Cert Privilege Limitations Modification Index
Entity performing the modification must sign a modification notification: Original message’s index hash Modification index entry Modifier’s ID Hash of new value (none if Delete) Example: Reference 5, Delete Modifier removes part 5 from message body Modification manifest unchanged Modifier attaches notification to message Modifier’s Actions
Optional Get message index Valid each part against permission and signature Simple case: Delete Author name and signature Modifier case: check permission subject and modifier signature Complex case: follow delegation chain Recipient Validation
New permission: refresh Applies only to a message part Included content, not referenced Permission can require both modifier and location identifier Stockquotes: only from Nasdaq.com User profile info: refresh every 30 minutes Etc. Dynamic Content
Simple conditionals If URL ; URL can be fetched without error Else Another URL Endif Modification Index Part reference for embedded conditional Subreferences for options Modifier signs reference and selection Removes embedded conditional Inserts selected option (e.g. URL) Signs Notification including hash of selection Conditional Modifications cf: Edge Side Includes, www.edge-side.com
Signed message { If URL else Other_URL by cdn.cnn.com } Signature Appended data: { Original message hash, byte offset of { If URL else Other_URL by cdn.cnn.com } Signature of cdn.cnn.com } Authenticated Includes
A distributed computing model Definition of end-to-end integrity Allows complex content composition Merges local and remote concepts Based on known technologies Dynamic and Active Content
Permission type: execute Additional parameters: locality “who” can execute it, “where” they are Arguments: message parts and environment info Output replaces the message part Notification same as ‘replace’ but includes ‘location’ signature over message hash, part hash, output Active Content
Two parts Input Program Modifier certifies to performing the replacement, Execution agent certifies to executing the program on the content Output replaces the message part Executable Content
Modification Index may be extended by message editors Add ModIndex part Sign Original Message (hash = AAA) and Hash of New ModIndex Their permissions cannot exceed permissions granted to them ‘Downstream’ recipients must verify permissions before exercising delegation Further Delegation
Recipient policies Content type, size, origin, freshness, price Delegates modification rights Delete, replace, select, translate, etc. “Delete *.badplace.com/*.gif” “Translate *.ru content-type/text to English” Redelegation to partner ISP, for example Might ban certain content parts “Never”, “always” Modifications based on Recipient Policy
Enterprise policy, ISP service Generic policy delegation Enduser -> ISP, http, content-type/html, delete *.badstuff.com/*.gif enduser signs hash of policy Might result in deletion of entire message part ISP would delete part and add signed addendum includes hash of policy authorizing the action NB: No request integrity definition Rights Delegated from Recipients
Reordering Restrictions (“not valid in Indiana”) If part 4 is deleted then add a delegation to modify part 7 Refresh times, parameters Reuse of individual parts “over 18 only” “3 uses only” Billing Audit Complex Policy
Publisher: do not delete Enduser: delete this junk Enduser delegate: delete or not? SLA’s with publishers SLA’s with publisher agents (CDN’s) Contract with endusers SEP (Douglas Adams) Policy Resolution
Even for complex composition systems, there is a verifiably meaning to data integrity Overhead appears tolerable Caching is enhanced Scalable, layer 6 policy and mechanisms Consistent with emerging standards msg, policy Data Integrity(m,p)