Probably everyone had something to do with the EDUS. It's most common security solution that we can meet in every office or public building. User gets an RFID card that allows him to unlock doors. One have to close the RFID card to the reader and that's it we can hear 'beeep' and door unlocks.
It's quite old solution that is based on the pull security model
Let's start with simple diagram that shows how EDUS based on the pull security model works now:
 |
| pull security model |
SP - service provider or electronic lock that opens a doors
IDA - Identity Authenticator or application that knows who can open which door
IDH - Identity Holder - in our case it's RFID card but it can be any utility that can keep user secret data - there is always a real person behind IDH that want's to "open the door"
In this solution the key role plays the SP component that pulls identity details from the IDH and sends it to the IDA. It means that every SP has access to the secret data of each IDH registered in the system. Because of this reason we have to provide protection to every single SP element in the system in order to protect users secret data. The whole system will be compromised if someone hacks one of the doors and start copying the users secrets data.
It makes this solution extreamlly insecure. If you have 100 doors in the building then you have to provide protection to each one of them to make sure your building is secure and all users data is secure. It makes the pull security model compleatly broken.
Nevertheless pull security model is widly used in a lot of IT solutions. Good example of such broken solutions are card payment systems. One have to share the payment card details with every single payment terminal.
Sum up - in the pull security model we have to share our identity details (that is usually kind of secret) with every single endpoint in the system that plays simple role of a service provider. In this solution we have to protect every single endpoint to keep system secure. It makes this solution extreamly insecure.
As an oposit to the pull security model I want to present the push security model. I will use the same EDUS example in order to explain how it works.
 |
| push security model |
In the push security model the most important component is IDH. It controls whole process. First it pulls ID from the SP (a doors ID in our example). Next it push request to IDA in order to unlock the doors. IDA do a processing and based on this send request to SP (request is sent only if user is allowed to unlock the door or it does not take any action if user is not allowed to unlock a door).
In this model we do not share any secret data with the SP. SP is a simple 'executor' - it only do a job it has to do (unlocks a doors in our example).
One can say that in this model we have to protect much more IDH's but each IDH is protected by the definition as it's something personal that has direct owner that protects it. There is also IDA that can disable IDH in case it has been compromised (more likely we get info about compromised IDH than about compromised SP that does not have direct owner).
Ofcourse in this solution RFID card CAN NOT play the role of the IDH. Nowadays the most natural candidate for the IDH is a smartphone.
Sum up - in the push securty model the IDH plays the most important role. It connects only with trusted IDA and it's only component that can initiate action in the system. The role of the SP is reduced - it's a simple executor that can not initiate any action. Users secret data is shared only with limited number of trusted IDAs.
Comparison:
In the pull security model we have huge number of endpoints we have to share our secrets with. Those endpoints can potentially copy our secret data and initiate actions on our behalf.
In the push securty model only IDH can init an action and we share our secrets only with limited number of trusted IDAs.
From the historical perspective the pull security model was much simpler to implement as there was no smartphones that could play the IDH role connecting directly to IDA.
It's a historical reason that we can use to understand why pull security model was implemented in the past.
In my opinion there is no good reason to keep the 'pull securty model' anmore - we should replace it with push security model.
No comments:
Post a Comment