Integrity for Activated Content

1
Integrity for Activated Content
Data Integrity in an Active Content
System Active Middleware Workshop Hilarie
Orman Volera, Inc. August 6, 2001
2
Trends in Web Content Activity

• Complex pages
• Multiple business interests
• Mechanisms
• Server side includes
• Edge Side includes
• Ad hoc markers
• URL naming tricks
• Efficiency Issue
• Minimize traffic, maximize cacheability

3
Data Integrity It all depends

• Traditional Model
• Header, some fields immutable
• Content, immutable modulo accidents
• IP packets
• Packets might get to their destination but
  shouldnt be delivered anyplace else
• Security was TBD and emerged in IPsec
• Awkward and slow standardization
• Anything else End-to-End

4
Basic Page Options

• Prevailing semantic put a picture here

DOGTOWN NEWS Dog Days Fidelius Canine A
noontime high of 100 has local residents
remembering the dog days of 1894, when
temperatures were pegged at over the century mark
for 45 consecutive days.
ltHTMLgt ltBODYgt ltH1gtDOGTOWN NEWSlt/H1gt ltHEADLINEgtDog
Dayslt/HEADLINEgt ltBYLINEgtFidelius
Caninelt/BYLINEgt ltREGIONAL_AD h640
w480gt ltSTORYgt.lt/STORYgt
SALE at FIDO FOODS Beef Dinners 65 cents all week
5
The OPES Data Flow
Content Transformations
Client Requests
CACHE
Server Requests
Server Response
Client Response
Rule Engine
A Caching Proxy
Administrative Controller
6
(No Transcript)
7
Complex Content Compositionand Validation
Content and Modification Descriptions insert
ad wap transcoder refresh 10 min
Recipient Ponders Integrity
Original Content
Modified Content
8
Hash-based Editing

• Document has a part index and content
• Index summarizes document by hash of each part
• Each part index entry has editing permissions
• Modification audit trail achieved by attaching
  verifier for each editing action
• Recipient verifies the message by comparing the
  received message to the action list

9

Signatures for Original and Modified Content
gxry mod q
10
Goals of Active Data Integrity

• Publisher defines document and modification
  permissions
• Delegates can modify the document
• Anyone can validate the modified document
• Document can be cached anywhere
• Even with partial modifications
• Recipient can delegate modifications on his
  behalf
• Recipient can validate document

11
The Verifiable Editing Language

• Delete
• Add
• Replaces
• (Delete and Add)
• Delegate
• If-Else, Select
• Boolean combinations
• Replicate
• Append

• Refresh
• Permute
• Cache control
• Exec
• Enduser Policy
• Enforcement delegation

12
Message Structure

• Publishers index of content and permissions
• Signature of Publisher on index
• Editors indices of actions, delegations
• Signature of each editor on own index
• Optional intermediate validation signatures
  (this message was valid when at ibm.com)

13
Example delete

• Index
• Part1, hash value xxx, none
• Part 2, hash value yyy, delete
• Part 3, hash value zzz, none
• Content
• This is part 1
• This is part 2
• This is part 3
• Signature hash(Index)
• AAA

• Index
• Part1, hash value xxx, none
• Part 2, hash value yyy, delete
• Part 3, hash value zzz, none
• Content
• This is part 1
• This is part 3
• Signature aaa
• Delete Signature AAA, part2, delete
• Verify Index Sig
• hash(part 1) xxx
• hash(part 2) zzz

14
Example replace

• Index
• Part1, hash value xxx, none
• Part 2, hash value yyy, replace
• Part 3, hash value zzz, none
• Content
• This is part 1
• This is part 2
• This is part 3
• Signature hash(Index)
• AAA

• Index
• Part1, hash value xxx, none
• Part 2, hash value yyy, delete
• Part 3, hash value zzz, none
• Content
• This is part 1
• This is the new part 2
• This is part 3
• Signature aaa
• Replacers Signature AAA, part2, replace,
  hashddd
• Verify Index Sig on AAA
• hash(part 1) xxx
• hash(part 2) zzz
• Verify hash(part2)ddd
• Verify Replacers Sig

15
Modification Index
Content Part 1 This is merely text for the heading
Document
Index Group 1 Parts Part 1 hash xxx
Part 2 hash yyy Part 4 hash zzz
Permission none Signature xxx Group
2 Parts Part 3 hash aaaa Permission
Delete Subject JohnDDoe Signature cccc
Group 3 Parts Part 5 hash bbb
Permission Replace Type gif Size lt
20Kb Subject .all_languages.com Signature
dddd Index Signature eeee
Part 2 Start of the story and byline
Part 3 ltREGIONAL_ADgt
Part 4 Continuing onward our fearless hero ...
Part 5 ALERT SPECIAL
16
Basis for Content Descriptors

• XML-Signature Syntax and Processing
• W3C Candidate Recommendation 19-April-2001
• http//www.w3.org/TR/xmldsig-core/

17
Standards Simple XML Example (Signature,
SignedInfo, Methods, and References)

• s01 ltSignature Id"MyFirstSignature
  xmlns"http//www.w3.org/2000/09/xmldsig"gt
• s02 ltSignedInfogt
• s03 ltCanonicalizationMethod
  Algorithm"http//www.w3.org/TR/2001/REC-xml-c14n-
  20010315"/gt
• s04 ltSignatureMethod
• Algorithm"http//www.w3.org/2000/09/xmldsig
  dsa-sha1"/gt
• s05 ltReference URI"http//www.w3.org/TR/2000/
  REC-xhtml1-20000126/"gt
• s11 lt/Referencegt
• s12 lt/SignedInfogt
• s13 ltSignatureValuegtMC0CFFrVLtRlk...lt/Signat
  ureValuegt

18
A Reference and Digest

• Reference
• URI"http//www.w3.org/TR/2000/REC-xhtml1-20000126
  /"gt
• Transforms
• Transform Algorithm"http//www.w3.org/TR/2001/REC
  -xml-c14n-20010315"/
• DigestMethod Algorithm"http//www.w3.org/2000/09/
  xmldsigsha1"/gt DigestValue j6lwx3rvEPO0vKtMup4Nbe
  Vu8nk

19

• s01 ltSignature Id"MyFirstSignature
  xmlns"http//www.w3.org/2000/09/xmldsig"gt
• s02 ltSignedInfogt
• s03 ltCanonicalizationMethod
  Algorithm"http//www.w3.org/TR/2001/REC-xml-c14n-
  20010315"/gt
• s04 ltSignatureMethod Algorithm"http//www.w3.
  org/2000/09/xmldsigdsa-sha1"/gt
• s05 ltReference URI"http//www.w3.org/TR/2000/
  REC-xhtml1-20000126/"gt
• s06 ltTransformsgt
• s07 ltTransform Algorithm"http//www.w3.o
  rg/TR/2001/REC-xml-c14n-20010315"/gt
• s08 lt/Transformsgt
• s09 ltDigestMethod Algorithm"http//www.w3.o
  rg/2000/09/xmldsigsha1"/gt
• s10 ltDigestValuegtj6lwx3rvEPO0vKtMup4NbeVu8nk
  lt/DigestValuegt
• s11 lt/Referencegt
• s12 lt/SignedInfogt
• s13 ltSignatureValuegtMC0CFFrVLtRlk...lt/Signatu
  reValuegt
• s14 ltKeyInfogt
• s15a ltKeyValuegt
• s15b ltDSAKeyValuegt
• s15c ltPgt...lt/PgtltQgt...lt/QgtltGgt...lt/GgtltYgt...
  lt/Ygt s15d lt/DSAKeyValuegt
• s15e lt/KeyValuegt s16 lt/KeyInfogt
• s17 lt/Signaturegt

20
Trust Model for Mutable Content

• Subjects Author, Editors, Enduser Delegates
• Objects Content and content subparts
• Author (aka Publisher) creates
• Content
• Modification Policy
• Signature on Entirety
• Modification policy based on content structure
• Non-modifiable parts require separate signature
• Content modifiers (e.g. OPES)
• Append signed actions to message
• Change original message
• Recipient validates content wrt index, mods

21
Modification Permissions

• Delete
• Replace
• Restrictions
• Content type
• Size
• URL
• Append/Prepend
• Restrictions same type size
• Delegate (monotonicity)
• Allowable subjects
• Execute

22
Modification Index

• Part identifier
• Reference or
• Digest
• Action pairs
• Subjects
• Namespace, name
• Public key
• Cert
• Privilege
• Limitations

23
Modifiers Actions

• Entity performing the modification must sign a
  modification notification
• Original messages index hash
• Modification index entry
• Modifiers ID
• Hash of new value (none if Delete)
• Example Reference 5, Delete
• Modifier removes part 5 from message body
• Modification manifest unchanged
• Modifier attaches notification to message

24
Recipient Validation

• Optional
• Get message index
• Valid each part against permission and signature
• Simple case Delete
• Author name and signature
• Modifier case check permission subject and
  modifier signature
• Complex case follow delegation chain

25
Dynamic Content

• New permission refresh
• Applies only to a message part
• Included content, not referenced
• Permission can require both modifier and location
  identifier
• Stockquotes only from Nasdaq.com
• User profile info refresh every 30 minutes
• Etc.

26
Conditional Modifications cf Edge Side
Includes, www.edge-side.com

• Simple conditionals
• If URL URL can be fetched without error
• Else
• Another URL
• Endif
• Modification Index
• Part reference for embedded conditional
• Subreferences for options
• Modifier signs reference and selection
• Removes embedded conditional
• Inserts selected option (e.g. URL)
• Signs Notification including hash of selection

27
Authenticated Includes

• Signed message
• If URL else Other_URL by cdn.cnn.com
• Signature
• Appended data
• Original message hash, byte offset of
• If URL else Other_URL by cdn.cnn.com
• Signature of cdn.cnn.com

28
Dynamic and Active Content

• A distributed computing model
• Definition of end-to-end integrity
• Allows complex content composition
• Merges local and remote concepts
• Based on known technologies

29
Active Content

• Permission type execute
• Additional parameters locality
• who can execute it, where they are
• Arguments message parts and environment info
• Output replaces the message part
• Notification same as replace
• but includes location signature over message
  hash, part hash, output

30
Executable Content

• Two parts
• Input
• Program
• Modifier certifies to performing the replacement,
• Execution agent certifies to executing the
  program on the content
• Output replaces the message part

31
Further Delegation

• Modification Index may be extended by message
  editors
• Add ModIndex part
• Sign Original Message (hash AAA)
• and Hash of New ModIndex
• Their permissions cannot exceed permissions
  granted to them
• Downstream recipients must verify permissions
  before exercising delegation

32
Modifications based on Recipient Policy

• Recipient policies
• Content type, size, origin, freshness, price
• Delegates modification rights
• Delete, replace, select, translate, etc.
• Delete .badplace.com/.gif
• Translate .ru content-type/text to English
• Redelegation to partner ISP, for example
• Might ban certain content parts
• Never, always

33
Rights Delegated from Recipients

• Enterprise policy, ISP service
• Generic policy delegation
• Enduser -gt ISP,
• http, content-type/html, delete
  .badstuff.com/.gif
• enduser signs hash of policy
• Might result in deletion of entire message part
• ISP would delete part and add signed addendum
• includes hash of policy authorizing the action
• NB No request integrity definition

34
Complex Policy

• Reordering
• Restrictions (not valid in Indiana)
• If part 4 is deleted then add a delegation to
  modify part 7
• Refresh times, parameters
• Reuse of individual parts
• over 18 only
• 3 uses only
• Billing
• Audit

35
Policy Resolution

• Publisher do not delete
• Enduser delete this junk
• Enduser delegate delete or not?
• SLAs with publishers
• SLAs with publisher agents (CDNs)
• Contract with endusers
• SEP (Douglas Adams)

36
? msg, policy Data Integrity(m,p)

• Even for complex composition systems, there is a
  verifiably meaning to data integrity
• Overhead appears tolerable
• Caching is enhanced
• Scalable, layer 6 policy and mechanisms
• Consistent with emerging standards