Design Patterns-C #-based engineering implementation and expansion supplement security design pattern Series 1 public key system and distributed environment requirements

Public key system and distributed environment requirements

Vision Wang)

2009-02-10

Summary

As a continuation of the first version of "Design Patterns-engineering implementation and expansion based on C #", we plan to launch the security design patterns series and integration pattern series) data pattern, data access pattern, XML application pattern, and UX pattern that appears with Web 2.0: user Experience Pattern)CommunityThere are already a lot of ready-made materials, so the release is delayed for the time being.

Information Security peers often emphasize "three-point technology and seven-point management". management is very important, especially for personnel management, training, and education, however, this series focuses on the "three points" and only involves the application development and design part in the "three points.

As we introduced in the gof23 classic section "design patterns-engineering implementation and expansion based on C #", most of the patterns in gof23 often focus on solving type relationships, A large number of instances also focus on the changing relationships within a "system"/"subsystem". However, as the content expands, we find that many models are also widely used in distributed systems, become a key part of the architecture model, such as proxy pattern, Observer pattern, and fa-ade pattern ), we also have many similar changes to deal with in completing the development of common information security, because the number of developers dedicated to this field is relatively small, even within the project team, the information security design model is not as clear as the development context of gof23 and other branches, however, after decades of experience in the software industry, there are also some "routines" to follow, especially for common authentication, authorization, and access control methods in development, this series mainly introduces these content based on your project experience.

Main problems faced by the Information Security Model

Information Security Systems/subsystems are first information systems/subsystems. Therefore, they share the same content as described in the gof23 design model, the same idea can be used to solve the corresponding changes of information security systems/subsystems. Different from the control requirements of other branches in the design mode, the information security mode must first solve a problem --Trust.

That is to say, no matter what information security functions/services we provide, it is always based on a relatively trusted environment. For example, we verify the user password, but the database where the user creden are stored is usually first authenticated.ProgramIt is assumed that it is credible, otherwise it will be avoided. With the increasing number of participants (users, software, systems, services, and information sources ...), We must provide a set of environments that everyone thinks are trustworthy. What is the difference between this distribution of public trust environment and the trust system that we often "hand-to-mouth?

In the former, we often use symmetric keys, while in the latter, we often need an asymmetric key system that uses certificates as creden,, and then use some public trust mechanisms/services, form a public key-based environment.

(For symmetric keys andFor more information about the concept of asymmetric keys, see the cryptography textbooks)

Another key factor is "control isolation". We can refer to the description of other design principles for the time being-control isolation, that is to say, when you want to control an object/service to access another object/service, a third-party object/service is usually used to separate the two.

Figure 01-01: Implement information security control through control isolation relationships

It is not difficult to find that the agent mode, appearance mode, and factory method (/Abstract Factory method) in the gof23part of the structure mode are difficult to meet the needs here. Therefore, to some extent, due to the complexity of object roles in information security development, security modes in actual projects often need to be combined with multiple means to effectively isolate changes.

Value factors in the Information Security Model

Unlike most of the change requirements in gof23, another obvious feature of the information security model is its value factor. Taking the Bridge pattern as an example, we mentioned in the chapter "design pattern-engineering implementation and expansion based on C #" that the reason is called "bridge ", the reason is that the client program may change to multiple factors depending on an abstract "bridge", and the Implementation type of each change object is used as the bridge pier.

Figure 01-02: Bridge Mode solution to multi-factor changes

Through this process, if more dimensions change, we can use a set of methods to solve related problems.

However, in a typical operation of Information Security Development-"Authorization", we cannot simply provide a solution. One of the key considerations is the value factors of different object entities. For example, the typical authorization method is as follows:

L role based security: Suitable for our regular business systems;

L Identity Based Security: Suitable for systems with high security levels that require granular control of user access, for example, audit systems;

L claims based security: this service is suitable for applications deployed in uncertain environments. Security is checked based on the content stated during access submission by the client;

L Resource-based security: a system centered on the target resource, mainly for sensitive resource control;

In terms of functions, the above four authorization methods are designed to implement the process of "user access function and then operate some resources", but the abstract process is different in design:

Role Based Security:

Identity Based Security:

Claims Based Security:

Resource-based security:

The same process forms multiple dependencies. What is the main cause? The key lies in our belief thatWho has greater value, More protection. Therefore, in the use of the information security model, apart from the previous "isolated changes", we also need to evaluate the value of assets (and control assets) based on risk analysis.

AOP features of Information Security Mode

AOP (Aspect-Oriented Programming) can be said to be a supplement and improvement of OOP (object-oriented programing, object-oriented programming. Oop introduces concepts such as encapsulation, inheritance, and Polymorphism to establish an object hierarchy to simulate a set of public behaviors. Oop allows you to define the relationship from top to bottom, but it is not suitable for defining the relationship from left to right. For example, log function. LogsCodeIt is often horizontally distributed across all object layers, but it has nothing to do with the core functions of the objects it spreads. This is also true for other types of code, such as security, exception handling, and transparent persistence. This unrelated code distributed everywhere is called cross-cutting code. in OOP design, it leads to a large number of code duplication, which is not conducive to the reuse of each module.

The AOP technology is the opposite. It uses a technology called "cross-cutting" to penetrate into the encapsulated object, and encapsulate the public behaviors that affect multiple classes into a group of Reusable Modules-"aspect" (aspect ). The so-called "aspect" is simply to encapsulate the logic or responsibilities that are irrelevant to the business but are called by the business module to reduce repeated system code, reducing the coupling between modules is conducive to future operability and maintainability.

Figure 01-03: AOP Loading Mechanism

In the "design pattern-engineering implementation and expansion based on C #" section, we introduce the decoration pattern based on. net's three AOP implementation mechanisms, but they have not been expanded yet. However, they are generally used as the control mechanisms for non-business logic trunk. facing so many security requirements, if security features are mixed with the business logic and business process, the complexity of the Code logic is complicated and difficult to maintain, the labor costs of developers, testers, and deployers will be increased, especially when requirements change. To this end, we need to change the design concept and adopt the idea of AOP (or dependency injection) to design and apply various pattern processing measures to the application with a low coupling degree "Weaving, but it does not affect the application logic and the application process itself.

Main fields of information security

As mentioned above, although the series is close to "three points", due to the increase of branches in the information security field, the content of the information security model service mainly includes the following fields:

Message or transmission channel Security

Transmission Channel security is relatively easy to implement, which can ensure that the composition of applications and the interaction between applications are implemented in a secure shell, but there are some restrictions:

L if only point-to-point security is designed, a third-party public key mechanism (such as NTLM, Kerberos, and Active Directory) must be used in the context of enterprise application servitization ...) Provides security. Otherwise, the cost of point-to-point security maintenance will increase by square level as applications increase;

L it is difficult to implement a routing mechanism with transit;

If security is designed at the message level, although you need to add some development or configuration workload at the application level, the following benefits can be obtained:

L security is not related to the channel, especially for transmission channels without security guarantee;

L suitable for transferring between heterogeneous applications;

L it is particularly suitable for Distributed long transaction service calls that require multiple routes or persistence;

Due to the different focus, the two security universal application modes are also different.

Authentication

It mainly includes:

L user information storage. For example, you can use your own user database or the LDAP system's unified personnel information;

L post or role storage. For example, the custom role table is obtained through the soap call of the Unified Enterprise authorization platform;

L call method: is it a per call or a cache after one-time authentication? Is each application completed independently or based on SSO?

In addition, for enterprise intranet projects, consider the following:

L can I use SQL Server and Oracle as membership provider?

L whether Active Directory and Kerberos authentication are used;

L whether to use a certificate, IC card, or USB key for authentication;

For enterprise Internet projects, you must also carefully consider the issue of user information creden。 and their carriers.

Authorization

According to the requirements of different security levels, authentication and authorization also need to define different security implementation policies, or even use different policies together, as mentioned above:

L role based security;

L identity based security;

L claims based security;

L resource based security;

Audit and Log System

Although, according to the requirements of application classified protection, the applications developed by enterprises gradually include audit and logs in the conventional development content, in addition to the application's own functions, you can also use the features of the development platform and integrated products, for example:

L in WCF and ASP. NET applications, you can specify whether to record and record the path information in detail by configuring;

L business continuity-oriented event modeling for WMI events combined with the enterprise security operation management platform;

Exception management

Relatively speaking, the existing operating systems of most enterprises are weak in application Exception management. Most of the exceptions reported by applications are unpackaged, and too many technical details are often leaked; however, if the encapsulated content is too superficial, It is not conducive to providing on-site technical support (that is, supportability is not good ). To this end, developers need to define policies to create consistent policies for exception handling at all layers of the application, and provide the following three handler (handler ):

L wrap handler: Wrap an original exception within another new exception, and the original exception object will be kept in the innerexception attribute;

L replace handler: replace one exception with another exception;

L logging handler: The exception handler first formats the exception information, such as the message and stack trace, and then the logging handler records the exception content;

Proxy and Delegation

Due to the distribution of programs, in order to reduce the workload of enterprise system management personnel, it is often necessary to set up a proxy account or define the account principal relationship in development to complete the application design.

Figure 01-04: account and delegated account

These two features are even more important in the context of internationalization and regionalization of Enterprise businesses. More and more businesses are breaking the existing boundary. Therefore, function authorization should not only describe the functions that users can accomplish, you also need to use the proxy and Commission to explain the scope of the tasks in which the functions are completed in the name of "who. In addition to simple delegation, enterprises often need to restrict the direction of delegation and proxy, and add necessary approval methods to the territorial relationship of resource access.

Packet, message, and parameter check

In many cases, the application security threats come from the interaction process. If the circumstances are light, the effectiveness of business processing may be affected. Otherwise, illegal users may obtain super management permissions, threats to the security of enterprise's networked information systems and networks. For example:

L without restrictions, users may enter numbers in any format, and may access information in other regions out of the border;

L for ASP. NET applications, if the submitted querystring or form content is not checked, SQL injection attacks may occur;

Therefore, the application must perform necessary checks on packets, messages, and call parameters. Otherwise, the application cannot "open" the information system of the enterprise.

Application Characteristics of Information Security Mode

Different from the above information security field, the information security mode adopts the object-oriented design and case study method because it is a design concept, including:

L use an object-oriented model to analyze information security processes such as authorization and authentication;

L abstract Association factors, and the idea of guiding the information security model is also to "rely on abstraction rather than concrete ";

L demonstrate various enterprise specifications with constraints in object-oriented modeling;

In this way, the information security model is consistent with our design foundation in gof23, therefore, we can use the security design pattern idea in a similar way to analyze repeated problems and "regular solutions" in various information fields ".

In the classic "design patterns", we are used to the conventional style introduced by the patterns:

L intent

L motivation

L Applicability

L Structure

L maid

L collaborations

L consequences

L Implementation

L known uses

L related patterns

This series uses the following methods for clarity and simplicity:

L motivation, problem, and forces: Describe the Situation, Problems, and various restrictions;

L solution: the process of analyzing, designing, and obtaining the "Regular Solution", including clarifying participants, collaboration, and execution duration;

L implementation and sequences: C # And. NET platform provides a standard implementation, and follows the design model-engineering implementation and expansion based on C # To solve the problem, and tries to provide a implementation case closer to the actual project. If your platform is Java EE and Dynamic Language, you can refer to similar implementation ideas;

L related patterns: analyzes the relationship between the pattern and other pattern (not limited to the Information Security Pattern;

L known uses and known non-security users, however, the results are not "safe.

Anti-pattern in information security mode

In addition, like many anti pattern, there are also many typical anti security design pattern in the information security field. Here is an example:

Motivation, Problem, Forces

Enterprise applications generally need to check the user's identity. After confirmation, we allow the user to perform subsequent operations. Although in typical processing, we can deploy the PKI environment, first place a secure "nest" for the application, but considering the business launch time, we decided to adopt the project self-developed method.

Some constraints are as follows:

L The project adopts the Smart Client mode;

L due to the large number of enterprise users and wide distribution, the existing Enterprise Authentication Framework is concentrated in the Headquarters information center. Therefore, how to improve the authentication efficiency becomes a key indicator for application;

L because Enterprise Portal Login requires frequent logon to different functions, if you need to log on to different functions each time, it requires a long network to reciprocating, and the user experience is poor, even Ajax users have lost their freshness in "Rotating small circles;

Solution

Refer to the introduction in the design pattern-engineering implementation and Extension Based on C #, and introduce the authentication cache proxy on the client, it is designed to cache the user iidentity in the memory of the Client After Authentication in different applications during the first call, and check all subsequent calls based on the authentication of the memory.

Static Structure

Figure 01-05: add the Authentication Proxy structure after the Authentication Buffer

(SubjectThe content is responsible for authentication and feedback of authentication information)

Execution sequence

The execution sequence is as follows:

Figure 01-06: add the execution sequence of the Authentication Proxy after the Authentication Buffer

Analysis

Although the above design solves the authentication problem from two aspects: Performance and isolation change, it is a typical "self-deception" approach from the information security perspective, because other programs can easily modify the client memory through multiple means, which does not implement any protection cache, even with the help of channel sniffer and other methods, it is easy to use the "resend" method to call this authenticated call, therefore, although the "local cahced proxy" mode is not anti pattern from the design pattern perspective, it is an anti pattern if it is implemented in the security field.

Then you may say "no absolute security". Indeed, in actual projects, we often need to combine multiple modes, however, if a "routine" is feasible or even perfect in a context, but in fact, from the information security perspective, it is very easy for him to undermine the domain goals that this "routine" serves, we can often define this confusing "routine" as an anti idiom/pattern.

Inheritance relationship of Information Security Mode

Taking authorization as an example, many authorization functions have already formed a "routine", which is itself an authorization pattern family. The basic authorization pattern structure is as follows:

Figure 01-07: static structure of authorization pattern

However, in actual projects, we often find that users in the same job have similar access permissions. even most of the enterprise's business permission regulations are for posts rather than individual users, therefore, the authorization mode can be further extended to the role-based security (RBAC: Role-Based Access Control) that everyone is familiar with. This "routine" Mode also changes to RBAC pattern, its static structure is as follows:

Figure 01-08: static structure of RBAC Pattern

As described above, the role here is to provide additional control measures for further security measures. The relationship between the two response modes can also be reflected as a typical inheritance feature:

Figure 01-08: inheritance relationship between authorization Modes

Others

In the future, this series will introduce a series of information security models based on the "information security field" mentioned above.

Bookmarks on design patterns-engineering implementation and expansion based on C #

On the cover of design patterns-engineering implementation and expansion based on C #

About Design Patterns-implementation and expansion of C #-based engineering, e-books and sample code release, and the beginning of Internet subscription

Pricing modification of design model-C #-based engineering implementation and expansion

"My first planning practices"

My first planning practice-the door to initial directory Analysis

Help you create flexible, scalable, and easy-to-maintain software entities

"Wang Xiang-Design Mode C # engineering implementation" online lecture material download

Expression Pattern of Design Pattern

For more information about "entrepreneurship and promotion", see "getting out of software Workshop".

For more information about "job search and interview", see the beauty of programming-Microsoft technical interview experience.