Secure Directory: Protection Against Data Tampering
Directories are generally deployed in support of other applications, such as messaging and PKI (Public Key Infrastructure) based security. Information in the directory is usually openly available to any client with access to the directory servers, which may be on the Internet or on a closed network or LAN/VPN.
This open access to data means that there are generally no security concerns related to data confidentiality or on controlling access to data – a goal of the directory is to make information available.
However, data in the directory is often of critical importance to the applications using the directory. Tampering with or removing data in the directory can cause severe problems to such applications. Isode's Secure Directory solution provides a high level of protection against such problems. This page describes the security threats, and how Isode's Secure Directory solution protects against them.
Application Security Threats
The nature of security threat to applications relying on directory due to tampering with or removal of data from the directory is illustrated by three examples:
- PKI enabled applications typically check for revoked certificates by use of CRLs (Certificate Revocation Lists) stored in a directory. If the CRL is removed, the checking cannot take place. This can lead to denial of service (if lack of CRL causes validation failure) or security breach by allowing use of a revoked certificate (if lack of CRL does not cause validation failure).
- An application uses the directory to determine authorization for a user, based on an attribute stored in the directory. Changing the attribute can change the user’s rights for that application.
- An application or client looks up a user’s email address in
the directory and sends critical information. Modifying the email
address in the directory could lead to this information going to an
unintended destination and also it would not be seen by the intended
The nature of threat will depend on the details of the application using the directory. The requirement for directory security will depend on the severity of such threats to the directory user.
Directory Security Threats
From a directory viewpoint, there are two basic approaches to creating the application security threats:
- Modification or removal of data in the directory.
- Spoofing the directory to the user, or spoofing an internal component of the directory to another part of the directory. The user thinks that data is coming from the directory, whereas it is actually coming from somewhere else.
The net effect of both of these types of attack is the same.
The important protection against both of these attacks is authentication. If a directory server is modifying data, it should correctly authenticate the client requesting the changes. If a client (or directory server) is receiving data from a directory server it should authenticate the server. Correct authentication will enable these attacks to be prevented.
Isode's Secure Directory solution is based on strong authentication, using digital signatures and PKI to provide several services:
- Client authentication: The server validates the client.
- Server authentication: The client validates the server.
- Server/Server authentication: Directory servers validate each other in support of data replication and chaining (where a directory query is passed between directory servers).
- Signed Operations: Individual directory operations are signed, to provide additional protection.
Strong authentication provides a higher level of protection than password based authentication. It simplifies administration for server/server authentication, and enables server authentication and signed operations (which cannot be provided with password based authentication).
More information on strong authentication is provided in three Isode white papers:
- Why Strong Authentication for Directory?
- The Security and Administrative Benefits of using X.509 PKI based Strong Authentication
- Directory Signed Operations
The strong authentication capabilities described above are supported by Isode's M-Vault directory server. This includes the ability to require signed operations for all updates, which enforces a high level of security for all changes to directory data.
Isode also provides Sodium (Secure Open Data, Identity and User Manager) as an administrative tool for securely managing data in the directory (shown above). This is a critical component of a secure directory system.
While strong authentication is the central capability that differentiates Isode’s Secure Directory, there are some related capabilities that are also important:
- Access control. It is essential to be able to specify who can make changes to data, in conjunction with strong authentication.
- Audit logging. All directory activities are recorded in an audit log, including validation of authentication. In the event of problems such as an administrator making inappropriate data changes, this information record is critical.