OSF DCE Application Development Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

521

522

523

524

525

526

527

528

529

530

DCE Security Service

23.1.1 Principals

Previously in this guide, we deﬁned the term ‘‘principal’’ rather loosely. ‘‘Principal’’ is

more precisely deﬁned as follows: an entity that is capable of believing that it can

communicate securely with another entity. In DCE Security, principals are represented

as entries in the Registry database. DCE principals include the following:

• Users, who are also referred to as ‘‘interactive principals’’

• Instances of DCE servers

• Instances of application servers

• Computers in a DCE cell

• Authentication Service surrogates

The Registry database entry representing every principal contains the name of the

principal and a secret key that the principal shares with the Authentication Service. (It is

by comparing the secret key in the Registry with the one supplied when a principal

requests authentication that the Authentication Service authenticates a principal.) In the

case of a user, the secret key is derived from the user’s password. In order to establish its

identity as a principal, a noninteractive principal, such as a server or computer, must

store its secret key in a data ﬁle or hardware device, or rely on a system administrator to

enter it.

The Security Server itself comprises three principals that correspond to the three services

that it provides: Registry, Privilege, and Authentication.

Note: The Authentication Service is an exceptional principal in that it does not

share its key with any other principal. Authentication Service surrogates

are also exceptional in that they are not autonomous participants in

authenticated communications, as other kinds of principals are.

Authentication surrogates more resemble aliases for the Authentication

Services of cells. (Refer to the discussion of intercell authentication in this

chapter for more information on these subjects.)

In the theory of Shared-Secret Authentication (and perhaps some other authentication

protocols as well), all principals are untrusted, except for the Authentication Service

itself. Therefore, a security-sensitive application would authenticate all such principals

with which it may communicate. However, since the Security Service implements the

Registry Service, the Privilege Service, and the Authentication Service (including its

surrogates) as a single server process, it is not necessary for any DCE application to

authenticate these principals.

23.1.2 Cells and Realms

The cell is the basic unit of conﬁguration and administration in DCE. In terms of

Security, a cell is the set of principals that share a secret key with an instance of the

Authentication Service. Therefore, each instance of a Security Server (not counting its

23−2 Tandem Computers Incorporated 124245