TIBCO Hawk Security Concepts

A secure environment addresses concerns of data authentication, authorization, privacy, and integrity.

Data authentication is the practice of determining that an entity (such a person or system process) is who it claims to be. This verification can be performed through use of a shared secret system, such as requiring a password, or through certificates and digital signatures.

Authentication involves the following interactions.

The entity that is to identify itself to a verifying entity provides an identifier to that verifying entity. The identifier specifies that the originating entity has a particular identity.

The verifying entity then receives the identifier from the entity. It uses the verifier to check the authenticity of the entity’s claim. In some instances, the verifying entity can be its own verifier.

The verifier makes sure that an entity is who it claims it is. This process may or may not involve communication with the entity making the claim.

The verification can involve different levels of authentication.

Identity Only

In identity-only authentication, the system does not verify that the entity is who it claims it is, but does pass the entity’s identifier to other parts of the system. This is the lowest level of authentication, and is useful where costs of a more secure authentication system preclude higher degrees of security, but identity is still important. This sort of authentication is useful where non-sensitive data is involved.

Shared Secret

Shared secret authentication is where each entity has a secret, such as a password, that is shared with the authentication system. Proof that the entity holds the secret can take one of the following forms.

•

The secret is sent from the entity to the verifier. Web browsers using the basic authentication web paradigm use this method. It is not very secure, as it is possible to impersonate the entity. More security can be added by encrypting the conversation.

•

The secret is used to encrypt a commonly-known piece of data. The encrypted data is then sent to the authentication system, which then verifies the identity of the sender by performing its own data encryption and comparing the result with the sender’s data.

•

A “challenge-response” protocol is used, wherein the verifier provides a piece of randomly-generated data, which the sending entity encrypts using the shared secret. The entity sends back the encrypted data, which the verifier then compares with its own version. If they match, the verifier accepts that the entity is who it claims it is.

Certificates

Digital certificates are a means whereby an entity has a public-private key pair, and registers the public key with a Certificate Authority. The infrastructure required for a public key system is referred to as a Public Key Infrastructure (PKI), of which the third-party Certificate Authority is a part. The Certificate Authority issues a certificate, containing information about the entity and the entity’s public key, and signs it.

To provide authentication of identity, the authentication system challenges the entity in a similar manner to the challenge-response protocol. The entity signs the challenge using its private key, and the system verifies this signature by using the entity’s public key.

Further information concerning security certificates can be found in TIBCO Hawk Installation, Configuration, and Administration Guide.