1 |
dashley |
19 |
%$Header: /home/dashley/cvsrep/e3ft_gpl01/e3ft_gpl01/webprojs/pamc/gen_a/docs/manual/man_a/c_tbg0/c_tbg0.tex,v 1.35 2009/11/01 02:42:55 dashley Exp $
|
2 |
|
|
|
3 |
|
|
\chapter{Technical Background and Decisions}
|
4 |
|
|
|
5 |
|
|
\label{ctbg0}
|
6 |
|
|
|
7 |
|
|
\beginchapterquote{``The purpose of computing is insight, not numbers.''}
|
8 |
|
|
{Richard W. Hamming, 1962}
|
9 |
|
|
|
10 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
11 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
12 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
13 |
|
|
\section{Introduction}
|
14 |
|
|
%Section tag: INT0
|
15 |
|
|
\label{ctbg0:sint0}
|
16 |
|
|
|
17 |
|
|
This chapter provides technical background and describes key
|
18 |
|
|
\emph{\productbasename{}}
|
19 |
|
|
technical
|
20 |
|
|
and design decisions.
|
21 |
|
|
|
22 |
|
|
|
23 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
24 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
25 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
26 |
|
|
\section{Technical Background}
|
27 |
|
|
%Section tag: tbg0
|
28 |
|
|
\label{ctbg0:stbg0}
|
29 |
|
|
|
30 |
|
|
|
31 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
32 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
33 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
34 |
|
|
\subsection{The SHA1 Secure Hash Algorithm}
|
35 |
|
|
%Subsection tag: sha0
|
36 |
|
|
\label{ctbg0:stbg0:ssha0}
|
37 |
|
|
|
38 |
|
|
The SHA1 secure hash algorithm is described by
|
39 |
|
|
\index{RFC 3174}RFC 3174
|
40 |
|
|
(available many places on the Internet). The algorithm maps from
|
41 |
|
|
a block of data of any practical length to a 160-bit hash. The important features of
|
42 |
|
|
the algorithm are described in the executive summary of RFC 3174:
|
43 |
|
|
|
44 |
|
|
\begin{quote}
|
45 |
|
|
\emph{This document specifies a Secure Hash Algorithm, SHA-1, for computing
|
46 |
|
|
a condensed representation of a message or a data file. When a
|
47 |
|
|
message of any length $<$ $2^{64}$ bits is input, the SHA-1 produces a
|
48 |
|
|
160-bit output called a message digest. The message digest can then,
|
49 |
|
|
for example, be input to a signature algorithm which generates or
|
50 |
|
|
verifies the signature for the message. Signing the message digest
|
51 |
|
|
rather than the message often improves the efficiency of the process
|
52 |
|
|
because the message digest is usually much smaller in size than the
|
53 |
|
|
message. The same hash algorithm must be used by the verifier of a
|
54 |
|
|
digital signature as was used by the creator of the digital
|
55 |
|
|
signature. Any change to the message in transit will, with very high
|
56 |
|
|
probability, result in a different message digest, and the signature
|
57 |
|
|
will fail to verify.}
|
58 |
|
|
|
59 |
|
|
\emph{The SHA-1 is called secure because it is computationally infeasible
|
60 |
|
|
to find a message which corresponds to a given message digest, or to
|
61 |
|
|
find two different messages which produce the same message digest.
|
62 |
|
|
Any change to a message in transit will, with very high probability,
|
63 |
|
|
result in a different message digest, and the signature will fail to
|
64 |
|
|
verify.}
|
65 |
|
|
\end{quote}
|
66 |
|
|
|
67 |
|
|
The SHA1 algorithm is used for several purposes within
|
68 |
|
|
\emph{\productbasename{}-\productversion{}}:
|
69 |
|
|
|
70 |
|
|
\begin{itemize}
|
71 |
|
|
\item Rather than storing user passwords plain,
|
72 |
|
|
the standard hash\index{standard hash function} (\S{}\ref{ctbg0:sddc0:sshf0}) of each
|
73 |
|
|
user password is stored. The standard hash is
|
74 |
|
|
based on the SHA1 algorithm. (A hash
|
75 |
|
|
is used because of the non-reversibility---it isn't
|
76 |
|
|
possible to go backwards from the hash to the password.)
|
77 |
|
|
\item Session identifiers (SIDs, \S{}\ref{ctbg0:sdty0:ssid0})
|
78 |
|
|
are based on the SHA1 function. (It isn't possible for
|
79 |
|
|
an attacker to guess the exact form of a SID because of
|
80 |
|
|
the construction of the hash.)
|
81 |
|
|
\item The SHA1 hash is calculated for files stored in the
|
82 |
|
|
file repository, and this information is retained in the
|
83 |
|
|
database record corresponding to the file. This serves
|
84 |
|
|
three purposes:
|
85 |
|
|
|
86 |
|
|
\begin{itemize}
|
87 |
|
|
\item It allows the file to be periodically checked for corruption
|
88 |
|
|
(due to hard disk failure or software defects).
|
89 |
|
|
\item It allows users who upload a file to be sure that it
|
90 |
|
|
was uploaded without corruption.
|
91 |
|
|
\item It allows users who download a file to be sure that
|
92 |
|
|
it was downloaded without corruption.
|
93 |
|
|
\end{itemize}
|
94 |
|
|
\end{itemize}
|
95 |
|
|
|
96 |
|
|
|
97 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
98 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
99 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
100 |
|
|
\section{Data Types}
|
101 |
|
|
%Section tag: dty0
|
102 |
|
|
\label{ctbg0:sdty0}
|
103 |
|
|
|
104 |
|
|
\emph{PHP} has several native data types, including
|
105 |
|
|
integers and strings. \emph{PHP} handles
|
106 |
|
|
strings well, and so ``custom'' data types are
|
107 |
|
|
in most cases most conveniently represented as strings (although
|
108 |
|
|
sometimes arrays of integers, arrays of strings, or some combination
|
109 |
|
|
is most convenient). This section for the
|
110 |
|
|
most part describes the ``custom'' data types
|
111 |
|
|
used in the \emph{\productbasename{}-\productversion{}} software.
|
112 |
|
|
|
113 |
|
|
|
114 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
115 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
116 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
117 |
|
|
\subsection{Hash Key}
|
118 |
|
|
%Subsection tag: thk0
|
119 |
|
|
\label{ctbg0:sdty0:sthk0}
|
120 |
|
|
|
121 |
|
|
\index{hash key}Some of the
|
122 |
|
|
security of \emph{\productbasename{}-\productversion{}} is based
|
123 |
|
|
on an attacker's inability to determine in advance what hash value will
|
124 |
|
|
be paired with data by the \emph{\productbasename{}-\productversion{}}.
|
125 |
|
|
Because the source code of \emph{\productbasename{}-\productversion{}} is
|
126 |
|
|
public, it is necessary to have an element of hash calculation that is not
|
127 |
|
|
known to an attacker.
|
128 |
|
|
|
129 |
|
|
The unknown random element is called the
|
130 |
|
|
\index{hash key}\emph{hash key}. The hash key is a string consisting
|
131 |
|
|
(quite arbitrarily) of printable characters.
|
132 |
|
|
|
133 |
|
|
A reasonable guideline for the length $n$ of the hash key is that it
|
134 |
|
|
should have at least as many possible values as the hash output
|
135 |
|
|
that it influences. Assuming that lower- and upper-case letters
|
136 |
|
|
and digits are used (62 possibilities):
|
137 |
|
|
|
138 |
|
|
\begin{eqnarray}
|
139 |
|
|
\label{eq:ctbg0:sdty0:sthk0:01} 62^n & \geq & 2^{160} \\
|
140 |
|
|
\label{eq:ctbg0:sdty0:sthk0:02} n & \geq & \frac{160 \log 2}{\log 62} \approx 27
|
141 |
|
|
\end{eqnarray}
|
142 |
|
|
|
143 |
|
|
A hash key of 100 characters each chosen from letters and digits
|
144 |
|
|
should thus be more than adequate to prevent attacks.
|
145 |
|
|
|
146 |
|
|
The hash key is most readily generated by the
|
147 |
|
|
\index{hashkeygen@\emph{hashkeygen}}\emph{hashkeygen} program,
|
148 |
|
|
described in \S{}\ref{csco0:ssph0:shkg0} (p. \pageref{csco0:ssph0:shkg0})
|
149 |
|
|
and in \S{}\ref{cist0:scsh0} (p. \pageref{cist0:scsh0}).
|
150 |
|
|
The \emph{hashkeygen} program generates a hash key substantially
|
151 |
|
|
longer than the threshold suggested
|
152 |
|
|
by Eq. \ref{eq:ctbg0:sdty0:sthk0:02} (see
|
153 |
|
|
Fig. \ref{fig:cist0:scsh0:01}, p. \pageref{fig:cist0:scsh0:01}).
|
154 |
|
|
|
155 |
|
|
|
156 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
157 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
158 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
159 |
|
|
\subsection{AUTIME (Augmented Unix Timestamp)}
|
160 |
|
|
%Subsection tag: ati0
|
161 |
|
|
\label{ctbg0:sdty0:sati0}
|
162 |
|
|
|
163 |
|
|
\index{AUTIME}%
|
164 |
|
|
An \emph{augmented Unix timestamp} is a decimal representation of the number of
|
165 |
|
|
seconds since Jan 1, 1900 GMT, and includes a fractional part. Note that for times
|
166 |
|
|
after Jan 1, 1970 GMT, the AUTIME can be formed in a straightforward way from
|
167 |
|
|
the standard Unix time by adding a constant.
|
168 |
|
|
|
169 |
|
|
\begin{figure}
|
170 |
|
|
\centering
|
171 |
|
|
\includegraphics[width=4.6in]{c_tbg0/autimeformat01.eps}
|
172 |
|
|
\caption{Format of AUTIME}
|
173 |
|
|
\label{fig:ctbg0:sdty0:sati0:00}
|
174 |
|
|
\end{figure}
|
175 |
|
|
|
176 |
|
|
Figure \ref{fig:ctbg0:sdty0:sati0:00} illustrates the format of
|
177 |
|
|
an AUTIME\@. An AUTIME is a string consisting
|
178 |
|
|
of exactly 19 characters, with the following
|
179 |
|
|
components.
|
180 |
|
|
|
181 |
|
|
\begin{itemize}
|
182 |
|
|
\item \textbf{Integer seconds since midnight, January 1, 1900 GMT (10 characters):}
|
183 |
|
|
These 10 characters are a decimal integer, zero-padded on the left as
|
184 |
|
|
necessary, that represent the integer seconds since midnight, January 1,
|
185 |
|
|
1900 GMT.
|
186 |
|
|
\item \textbf{Nanoseconds associated with the integer seconds (9 characters):}
|
187 |
|
|
These 9 characters are an integer, zero-padded on the left as
|
188 |
|
|
necessary, that represent the nanoseconds associated with the
|
189 |
|
|
integer seconds since the midnight, January 1, 1900 GMT.
|
190 |
|
|
\end{itemize}
|
191 |
|
|
|
192 |
|
|
\index{leap second}Leap seconds are handled by ignoring them.
|
193 |
|
|
In essence, a ``virtual timespace'' is created where every day is exactly
|
194 |
|
|
86,400 seconds long and leap seconds don't exist. This strategy is
|
195 |
|
|
very similar to the notion of Unix time except that leap seconds are
|
196 |
|
|
avoided. The strategy has these components:
|
197 |
|
|
|
198 |
|
|
\begin{itemize}
|
199 |
|
|
\item Past and future times may be translated into an AUTIME that is
|
200 |
|
|
either ambiguous or non-existent in the presence of leap seconds (this could
|
201 |
|
|
occur only for a time within one second of midnight).
|
202 |
|
|
\item When an AUTIME is obtained from the PHP library functions included with
|
203 |
|
|
\emph{\productbasename{}-\productversion{}}, a time within one
|
204 |
|
|
second of midnight Unix time\footnote{Midnight UTC.} won't be supplied (instead, the
|
205 |
|
|
library function will \index{sleep}sleep or spin-lock
|
206 |
|
|
until the two-second window of vulnerability has passed).
|
207 |
|
|
This behavior is designed to avoid supplying ambiguous times or
|
208 |
|
|
reverse-ordered times.
|
209 |
|
|
\item Time differences calculated using two AUTIMEs may differ from the
|
210 |
|
|
actual time difference by up to the number of leap seconds that
|
211 |
|
|
have occurred between the two AUTIMEs.\footnote{In practice, this
|
212 |
|
|
is a very small error, bounded at several seconds per year.}
|
213 |
|
|
\end{itemize}
|
214 |
|
|
|
215 |
|
|
Note that AUTIMEs as described have the property that the lexical
|
216 |
|
|
string sort order corresponds to the time sort order.
|
217 |
|
|
|
218 |
|
|
The calendaring range of an AUTIME spans:
|
219 |
|
|
|
220 |
|
|
\begin{itemize}
|
221 |
|
|
\item Midnight on January 1, 1900, GMT, \emph{through}
|
222 |
|
|
\item One nanosecond before midnight on January 1, 2200, UTC.
|
223 |
|
|
\end{itemize}
|
224 |
|
|
|
225 |
|
|
\noindent{}The calendaring range was chosen to allow the representation of
|
226 |
|
|
past events (such as birthdays), but also to allow dates substantially
|
227 |
|
|
in the future.
|
228 |
|
|
|
229 |
|
|
In addition, the following values are reserved.
|
230 |
|
|
In each of the descriptions below, each ``X'' character
|
231 |
|
|
signifies a ``don't care'' (the ``X'' characters
|
232 |
|
|
are ignored in comparisons).
|
233 |
|
|
|
234 |
|
|
\begin{itemize}
|
235 |
|
|
\item \emph{9999999996XXXXXXXXX} is reserved to
|
236 |
|
|
indicate an underflow result, i.e. a time
|
237 |
|
|
before January 1, 1900, GMT.
|
238 |
|
|
\item \emph{9999999997XXXXXXXXX} is reserved to
|
239 |
|
|
indicate an overflow result, i.e. a time
|
240 |
|
|
after one nanosecond before
|
241 |
|
|
January 1, 1200, UTC.
|
242 |
|
|
\item \emph{9999999998XXXXXXXXX} is reserved to
|
243 |
|
|
indicate an indeterminate time, i.e. the
|
244 |
|
|
time can't be reliably determined.
|
245 |
|
|
\item \emph{9999999999XXXXXXXXX} is reserved to
|
246 |
|
|
indicate an otherwise unspecified error.
|
247 |
|
|
\item Values corresponding to a time of at least
|
248 |
|
|
midnight, January 1, 2200, UTC but less than
|
249 |
|
|
\emph{9999999996XXXXXXXXX} are treated
|
250 |
|
|
as \emph{9999999999XXXXXXXXX}. These
|
251 |
|
|
values should never occur in practice as the
|
252 |
|
|
date arithmetic functions should not allow these
|
253 |
|
|
values to be calculated as output.
|
254 |
|
|
\end{itemize}
|
255 |
|
|
|
256 |
|
|
Note that the AUTIME format can be used for values that:
|
257 |
|
|
|
258 |
|
|
\begin{itemize}
|
259 |
|
|
\item Are used as part of generating a unique or random data value
|
260 |
|
|
(see, for example, \S{}\ref{ctbg0:sdty0:ssgu0}).
|
261 |
|
|
\item Are used to determine elapsed time.
|
262 |
|
|
\end{itemize}
|
263 |
|
|
|
264 |
|
|
|
265 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
266 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
267 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
268 |
|
|
\subsection{AUTIMEIP (Augmented Unix Timestamp Integer Pair)}
|
269 |
|
|
%Subsection tag: ati2
|
270 |
|
|
\label{ctbg0:sdty0:sati2}
|
271 |
|
|
|
272 |
|
|
\index{AUTIMEIP}The string representation of an AUTIME is most convenient for
|
273 |
|
|
string manipulation in \emph{PHP}. However, for manipulation
|
274 |
|
|
in \emph{MySQL} and in CGI-BIN programs it may be more efficient to
|
275 |
|
|
represent the AUTIME as a pair of integers; one for the whole seconds
|
276 |
|
|
and one for the fractional nanoseconds. This represesentation as a pair
|
277 |
|
|
of integers is the AUTIMEIP data type.
|
278 |
|
|
|
279 |
|
|
As of January 1, 2200, there will have been approximately
|
280 |
|
|
9,467,280,000 seconds since January 1, 1900. The whole number
|
281 |
|
|
of seconds requires 34 bits to represent, and so this is compatible
|
282 |
|
|
with the \emph{MySQL} \emph{bigint} data type (but incompatible with
|
283 |
|
|
native \emph{PHP} integers with \emph{PHP} version 4.X on 32-bit
|
284 |
|
|
platforms).
|
285 |
|
|
|
286 |
|
|
The number of fractional nanoseconds $n$ always meets the
|
287 |
|
|
constraint $0 \leq n \leq 999,999,999$ and thus requires
|
288 |
|
|
30 bits to represent. This integer is compatible with
|
289 |
|
|
the \emph{MySQL} \emph{int} data type and with \emph{PHP}
|
290 |
|
|
integers.
|
291 |
|
|
|
292 |
|
|
An AUTIMEIP may be represented in the following ways:
|
293 |
|
|
|
294 |
|
|
\begin{itemize}
|
295 |
|
|
\item A \emph{bigint}/\emph{int} pair in \emph{MySQL}.
|
296 |
|
|
\item A 64-bit/32-bit integer pair in a compiled C program.
|
297 |
|
|
\item A string/integer pair in \emph{PHP}, where the string
|
298 |
|
|
is manipulated using \emph{bcmath} and the integer
|
299 |
|
|
is manipulated as provided for in the language.
|
300 |
|
|
\end{itemize}
|
301 |
|
|
|
302 |
|
|
The exception values as described in \S{}\ref{ctbg0:sdty0:sati0}
|
303 |
|
|
also apply to AUTIMEIP values.
|
304 |
|
|
|
305 |
|
|
|
306 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
307 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
308 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
309 |
|
|
\subsection{AUTIMEI (Augmented Unix Timestamp Integer)}
|
310 |
|
|
%Subsection tag: ati3
|
311 |
|
|
\label{ctbg0:sdty0:sati3}
|
312 |
|
|
|
313 |
|
|
\index{AUTIMEI}On January 1, 2200 UTC, the number of nanoseconds since
|
314 |
|
|
midnight January 1, 1900 GMT will be approximately
|
315 |
|
|
$9.4673 \times 10^{18}$, requiring
|
316 |
|
|
64 bits to represent. The integer representation of
|
317 |
|
|
the number of nanoseconds since midnight January 1, 1900
|
318 |
|
|
is the AUTIMEI data type.
|
319 |
|
|
|
320 |
|
|
Note that the AUTIMEI data type cannot be represented in a
|
321 |
|
|
\emph{MySQL} \emph{bigint}, as a \emph{MySQL} \emph{bigint}
|
322 |
|
|
can represent values only from $-2^{63}$ through $2^{63}-1$.
|
323 |
|
|
|
324 |
|
|
The AUTIMEI data type can often be represented in an integer
|
325 |
|
|
in the C programming langauge, as implementations often provide
|
326 |
|
|
for unsigned 64-bit integers.
|
327 |
|
|
|
328 |
|
|
The exception values as described in \S{}\ref{ctbg0:sdty0:sati0}
|
329 |
|
|
also apply to AUTIMEIP values.
|
330 |
|
|
|
331 |
|
|
|
332 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
333 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
334 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
335 |
|
|
\subsection{AUTIMELP (Augmented Unix Timestamp, Low Precision)}
|
336 |
|
|
%Subsection tag: ati1
|
337 |
|
|
\label{ctbg0:sdty0:sati1}
|
338 |
|
|
|
339 |
|
|
\index{AUTIMELP}The augmented Unix time is also manipulated in the
|
340 |
|
|
software without the fractional part. Such values are used where
|
341 |
|
|
a precision of one second is adequate.
|
342 |
|
|
|
343 |
|
|
An AUTIMELP is a string of exactly 10 characters.
|
344 |
|
|
The ranges and exception values specified in
|
345 |
|
|
\S{}\ref{ctbg0:sdty0:sati1} apply.
|
346 |
|
|
|
347 |
|
|
|
348 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
349 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
350 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
351 |
|
|
\subsection{UBDT (Unbound Date)}
|
352 |
|
|
%Subsection tag: ubd0
|
353 |
|
|
\label{ctbg0:sdty0:subd0}
|
354 |
|
|
|
355 |
|
|
It is occasionally desirable to specify a date in a context where a narrow
|
356 |
|
|
or unique mark or range in time isn't important or can't be determined.
|
357 |
|
|
An example would be
|
358 |
|
|
a birthday---a birthday alone gives no indication of the global time zone
|
359 |
|
|
where the person was born (and hence the range of times
|
360 |
|
|
potentially represented by the date
|
361 |
|
|
would be interpreted differently at different global locations).
|
362 |
|
|
|
363 |
|
|
These vague dates are called \index{unbound date}\emph{unbound dates}.
|
364 |
|
|
|
365 |
|
|
Unbound dates are in general unsuitable for most applications within
|
366 |
|
|
\emph{\productbasename{}-\productversion{}}\@. Even software release dates
|
367 |
|
|
are best maintained as AUTIMEs---for example, a software release on a
|
368 |
|
|
certain date in the U.S.
|
369 |
|
|
might be best thought of as occurring on the following day in Europe.
|
370 |
|
|
|
371 |
|
|
Unbound dates are always represented within the
|
372 |
|
|
\emph{\productbasename{}-\productversion{}} software in the form
|
373 |
|
|
\emph{YYYYMMDD}, and may range from 19000101 to
|
374 |
|
|
21991231, inclusive.
|
375 |
|
|
|
376 |
|
|
The value \emph{00000000} is used to represent an underflow (date before January
|
377 |
|
|
1, 1900), the value \emph{99999999} is used to represent an overflow (date
|
378 |
|
|
after December 31, 2199), and the value \emph{--------} is used to represent
|
379 |
|
|
any other type of error.
|
380 |
|
|
|
381 |
|
|
The \emph{PHP} library files in \emph{\productbasename{}-\productversion{}}
|
382 |
|
|
include functions to perform calculations with unbound dates.
|
383 |
|
|
|
384 |
|
|
|
385 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
386 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
387 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
388 |
|
|
\subsection{SGUID (Server Globally-Unique Identifier)}
|
389 |
|
|
%Subsection tag: sgu0
|
390 |
|
|
\label{ctbg0:sdty0:ssgu0}
|
391 |
|
|
|
392 |
|
|
It is necessary or helpful in some contexts to have a way to create an
|
393 |
|
|
identifier that is guaranteed to occur no more often than once in the lifetime
|
394 |
|
|
of the server. \emph{MySQL} can be used to create such identifiers, and there
|
395 |
|
|
are also methods based on file and IPC semantics that can be used.
|
396 |
|
|
|
397 |
|
|
The method used in the software is a \index{spin lock}spin lock on a precision
|
398 |
|
|
timestamp; and the timestamp is concatenated with the PID. The method works
|
399 |
|
|
because:
|
400 |
|
|
|
401 |
|
|
\begin{itemize}
|
402 |
|
|
\item A single process (by virtue of the spin lock) can't generate the same
|
403 |
|
|
precision timestamp twice.
|
404 |
|
|
\item No two processes can have the same PID at the same time.
|
405 |
|
|
\end{itemize}
|
406 |
|
|
|
407 |
|
|
\begin{figure}
|
408 |
|
|
\centering
|
409 |
|
|
\includegraphics[width=4.6in]{c_tbg0/sguidformat01.eps}
|
410 |
|
|
\caption{Format of SGUID}
|
411 |
|
|
\label{fig:ctbg0:sdty0:ssgu0:00}
|
412 |
|
|
\end{figure}
|
413 |
|
|
|
414 |
|
|
Figure \ref{fig:ctbg0:sdty0:ssgu0:00} illustrates the format of
|
415 |
|
|
an SGUID. An SGUID consists of 29 characters, with the following
|
416 |
|
|
components.
|
417 |
|
|
|
418 |
|
|
\begin{itemize}
|
419 |
|
|
\item \textbf{Integer seconds since the January 1, 1900 GMT (10 characters):}
|
420 |
|
|
These 10 characters are an integer, zero-padded on the left as
|
421 |
|
|
necessary, that represent the integer seconds since January 1, 1900
|
422 |
|
|
GMT.\footnote{Note that 10 digits comfortably solves the Unix
|
423 |
|
|
2037 A.D. issue, as this will guarantee SGUIDs
|
424 |
|
|
beyond 2200 A.D.}
|
425 |
|
|
\item \textbf{Nanoseconds associated with the integer seconds (9 characters):}
|
426 |
|
|
These 9 characters are an integer, zero-padded on the left as
|
427 |
|
|
necessary, that represent the nanoseconds associated with the
|
428 |
|
|
integer seconds since January 1, 1900,
|
429 |
|
|
GMT.\footnote{As of this writing, Linux provides time to a resolution
|
430 |
|
|
of microseconds. It is anticipated that a resolution of nanoseconds will
|
431 |
|
|
accommodate any hardware speed advances in the foreseeable future, as typical
|
432 |
|
|
hardware gate propagation delays are on the order of several nanoseconds.}
|
433 |
|
|
\item \textbf{PID (10 characters):}
|
434 |
|
|
These 10 characters are an integer, zero-padded on the left as
|
435 |
|
|
necessary, that represent Unix PID expressed
|
436 |
|
|
as a decimal number.\footnote{As of this writing, PIDs are 16 bits only.
|
437 |
|
|
However, it seems inevitable that PIDs will be expanded to 24 or 32 bits in the
|
438 |
|
|
future.}
|
439 |
|
|
\end{itemize}
|
440 |
|
|
|
441 |
|
|
Note that SGUIDs as described have a very important property in addition to
|
442 |
|
|
guaranteed uniqueness---the lexical
|
443 |
|
|
string sort order corresponds to the time sort order.
|
444 |
|
|
|
445 |
|
|
Two sample applications of SGUIDs are:
|
446 |
|
|
|
447 |
|
|
\begin{itemize}
|
448 |
|
|
\item The basis for a session identifier (guaranteed unique).
|
449 |
|
|
\item A field in a database record to detect browser editing collisions---when a record
|
450 |
|
|
is modified and a new SGUID is assigned to the record, it is \emph{guaranteed}
|
451 |
|
|
not to be the same as the previous SGUID, and thus detection of the editing collision
|
452 |
|
|
is guaranteed.
|
453 |
|
|
\end{itemize}
|
454 |
|
|
|
455 |
|
|
|
456 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
457 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
458 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
459 |
|
|
\subsection{SID (Session Identifier)}
|
460 |
|
|
%Subsection tag: sid0
|
461 |
|
|
\label{ctbg0:sdty0:ssid0}
|
462 |
|
|
|
463 |
|
|
A \index{session identifier}session identifier (\index{SID}SID) is a
|
464 |
|
|
string consisting of exactly 69 characters used to uniquely
|
465 |
|
|
identify a session (Figure \ref{fig:ctbg0:sdty0:ssid0:00}).
|
466 |
|
|
|
467 |
|
|
\begin{figure}
|
468 |
|
|
\centering
|
469 |
|
|
\includegraphics[width=4.6in]{c_tbg0/sidformat01.eps}
|
470 |
|
|
\caption{Format of SID}
|
471 |
|
|
\label{fig:ctbg0:sdty0:ssid0:00}
|
472 |
|
|
\end{figure}
|
473 |
|
|
|
474 |
|
|
The first part of the SID is a SGUID
|
475 |
|
|
(\S{}\ref{ctbg0:sdty0:ssgu0}). The second part of a SID is
|
476 |
|
|
the system hash function of the SGUID. The SGUID portion is guaranteed to
|
477 |
|
|
be unique (this is a defining property of an SGUID),
|
478 |
|
|
and so each SID is unique within the first 29 characters.
|
479 |
|
|
The SHA1 hash appended to the SGUID is designed to eliminate an attacker's
|
480 |
|
|
ability to construct a valid SID. It may be possible to guess an SGUID based
|
481 |
|
|
on server characteristics; but it should not be possible to guess the corresponding
|
482 |
|
|
hash (this is a defining property of the system hash function).
|
483 |
|
|
|
484 |
|
|
At the time a user logs in (either as a user or a guest), the SID is created
|
485 |
|
|
and provided to the browser as a cookie.
|
486 |
|
|
|
487 |
|
|
The session state changes that occur as \emph{\productbasename{}-\productversion{}}
|
488 |
|
|
is used are all stored on the server side. The advantages of this approach
|
489 |
|
|
are:
|
490 |
|
|
|
491 |
|
|
\begin{itemize}
|
492 |
|
|
\item Only one cookie of a very short length is stored in the client's browser.
|
493 |
|
|
This approach meets the RFC 2109 constraints and is also suitable
|
494 |
|
|
for mobile devices.
|
495 |
|
|
\item An attacker's ability to gather information about the internal workings
|
496 |
|
|
of \emph{\productbasename{}-\productversion{}} by
|
497 |
|
|
observing cookie reassignments is severely limited
|
498 |
|
|
(nothing except the SID is exposed, and exposed only once per session).
|
499 |
|
|
\item An attacker's ability to tamper with cookies is eliminated (only one
|
500 |
|
|
cookie is provided, and it is tamper-proof).
|
501 |
|
|
\end{itemize}
|
502 |
|
|
|
503 |
|
|
|
504 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
505 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
506 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
507 |
|
|
\section{Database Design Decisions and Discussion}
|
508 |
|
|
%Section tag: ddd0
|
509 |
|
|
\label{ctbg0:sddd0}
|
510 |
|
|
|
511 |
|
|
|
512 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
513 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
514 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
515 |
|
|
\subsection{Global Scope Naming Conventions}
|
516 |
|
|
%Subsection tag: gsn0
|
517 |
|
|
\label{ctbg0:sddd0:sgsn0}
|
518 |
|
|
|
519 |
|
|
In certain of the database tables and in certain other
|
520 |
|
|
contexts, a global naming convention is used rather than
|
521 |
|
|
further indexing information by application and page. (For
|
522 |
|
|
example, the \emph{upns} and \emph{stns} tables in
|
523 |
|
|
\S{}\ref{ctbg0:sddd0:scfn0}, Figure
|
524 |
|
|
\ref{fig:ctbg0:sddd0:scfn0:spga0:00}, p.
|
525 |
|
|
\pageref{fig:ctbg0:sddd0:scfn0:spga0:00}.)
|
526 |
|
|
|
527 |
|
|
The conventions are quite loose, and simply consist of assigning names
|
528 |
|
|
that suggest, in order, the application, then the page, then the
|
529 |
|
|
variable within the page.
|
530 |
|
|
If this convention is followed, applications and pages can easily
|
531 |
|
|
query for all the database records that affect them by using the
|
532 |
|
|
SQL \emph{like} clause.\footnote{It was verified that \emph{MySQL} will
|
533 |
|
|
perform such a query nearly instantly even with a million records, so long
|
534 |
|
|
as the column involved in the query is indexed and so long as the wildcard
|
535 |
|
|
part of the name is at the end.}
|
536 |
|
|
|
537 |
|
|
For example, a \emph{MySQL} query of the form\\\\
|
538 |
|
|
\texttt{SELECT * FROM tablename\\WHERE columnname LIKE 'APP\_\%' ORDER BY columnname;}\\\\
|
539 |
|
|
will very efficiently extract all records whose value in a column
|
540 |
|
|
begins with ``APP\_'', so long as the column is indexed.
|
541 |
|
|
|
542 |
|
|
Using these naming conventions, it is also possible to simulate arrays. For
|
543 |
|
|
example, a variable named\\\\
|
544 |
|
|
\texttt{APP\_EMPCOST\_PG\_RECORDDISPLAY\_EMP\_HRS\_000029\_000042}\\\\
|
545 |
|
|
might be used to represent row 29 and column 42 of the underlying variable.
|
546 |
|
|
|
547 |
|
|
|
548 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
549 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
550 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
551 |
|
|
\subsection{\emph{MySQL} Database Locking}
|
552 |
|
|
%Subsection tag: mdl0
|
553 |
|
|
\label{ctbg0:sddd0:smdl0}
|
554 |
|
|
|
555 |
|
|
The design of \emph{\productbasename{}-\productversion{}} includes
|
556 |
|
|
many tables and complex relations. In order to ensure database
|
557 |
|
|
consistency, it is necessary to ensure atomicity of operations.
|
558 |
|
|
|
559 |
|
|
The approach taken to serialize database access is:
|
560 |
|
|
|
561 |
|
|
\begin{itemize}
|
562 |
|
|
\item Serialization is accomplished via the SQL \emph{LOCK TABLES}
|
563 |
|
|
and \emph{UNLOCK TABLES} statements.
|
564 |
|
|
|
565 |
|
|
\begin{itemize}
|
566 |
|
|
\item At the start of the critical section, \emph{all} tables existing
|
567 |
|
|
in the database are locked via a single \emph{LOCK TABLES}
|
568 |
|
|
statement.\footnote{It was determined via newsgroup posts
|
569 |
|
|
that the practical limit on the number of tables that can
|
570 |
|
|
be locked in a single SQL statement is much higher---probably
|
571 |
|
|
thousands of tables---than will be encountered in practice in
|
572 |
|
|
this product. As a fallback position if locking all tables
|
573 |
|
|
proves impossible, the \emph{GET\_LOCK()}
|
574 |
|
|
function and its companion function can be used. \emph{GET\_LOCK()}
|
575 |
|
|
isn't the first choice because the name is server-global rather
|
576 |
|
|
than database global, and malicious code (in another database
|
577 |
|
|
application) could cause denial of service. Additionally, it has
|
578 |
|
|
been verified that this method handles all the important scenarios
|
579 |
|
|
such as ordinary contention, dying processes, a process that
|
580 |
|
|
terminates without releasing the lock, etc.}
|
581 |
|
|
\item At the end of the critical section, a single \emph{UNLOCK TABLES}
|
582 |
|
|
statement is executed.
|
583 |
|
|
\end{itemize}
|
584 |
|
|
\item Maintenance scripts that run hot will be written to lock and unlock so that
|
585 |
|
|
if there is collision with a web page, the web page will be delayed for only
|
586 |
|
|
a small amount of time.
|
587 |
|
|
\item A recursive locking protocol is employed in the software to simplify the case
|
588 |
|
|
of a critical section occurring within a critical section. (This ensures
|
589 |
|
|
in an orderly way
|
590 |
|
|
that large-scope critical sections are not compromised by small-scope critical
|
591 |
|
|
sections.)
|
592 |
|
|
\end{itemize}
|
593 |
|
|
|
594 |
|
|
|
595 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
596 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
597 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
598 |
|
|
\subsection{File Repository Organization}
|
599 |
|
|
%Subsection tag: fro0
|
600 |
|
|
\label{ctbg0:sddd0:sfro0}
|
601 |
|
|
|
602 |
|
|
The \emph{\productbasename{}} software needs to maintain user-uploaded
|
603 |
|
|
files in conjunction with a
|
604 |
|
|
database. All such files are aggregated into one structure
|
605 |
|
|
called the \emph{file repository}.\index{file repository}
|
606 |
|
|
|
607 |
|
|
In the type of file repository described here, each file in the repository
|
608 |
|
|
has a corresponding database record containing a unique integer index. These indices
|
609 |
|
|
are assigned automatically by \emph{MySQL} and are assigned sequentially
|
610 |
|
|
as files are added (i.e. ``1'', ``2'', ``3'', etc.).
|
611 |
|
|
|
612 |
|
|
Although
|
613 |
|
|
\emph{MySQL} has the capability to store files directly as part of
|
614 |
|
|
the database, the files are stored as distinct files directly
|
615 |
|
|
under the operating system for the following
|
616 |
|
|
reasons:
|
617 |
|
|
|
618 |
|
|
\begin{itemize}
|
619 |
|
|
\item The upper limit for the size of the individual and collective
|
620 |
|
|
files stored directly in
|
621 |
|
|
\emph{MySQL} is not known or trusted. (The behavior of
|
622 |
|
|
the *nix filesystem, on the other hand, is well-understood
|
623 |
|
|
and trusted.)
|
624 |
|
|
\item The ability to split the file repository across multiple
|
625 |
|
|
volumes (for disk capacity reasons) via symlinks must
|
626 |
|
|
be preserved.
|
627 |
|
|
\item In the event of \emph{MySQL} database corruption, the files must still
|
628 |
|
|
be easily recoverable. This constraint would not be met if the
|
629 |
|
|
files were stored directly in \emph{MySQL}.
|
630 |
|
|
\item If incremental backups are used, it is known that \emph{MySQL} tends
|
631 |
|
|
to cause an entire table of files to be backed up (this can be tens
|
632 |
|
|
or hundreds of megabytes or more), whereas an approach relying on discrete
|
633 |
|
|
files will cause only the new or modified files to be incrementally
|
634 |
|
|
backed up.
|
635 |
|
|
\end{itemize}
|
636 |
|
|
|
637 |
|
|
The following constraints and design goals for the file repository exist:
|
638 |
|
|
|
639 |
|
|
\begin{itemize}
|
640 |
|
|
\item The differential growth of disk consumption due to overhead (such as
|
641 |
|
|
directory creation) as files are added
|
642 |
|
|
should not be excessive under the assumption that indices grow linearly.
|
643 |
|
|
\item It is known that *nix systems begin to experience performance issues
|
644 |
|
|
when directories contain more than about 200 files or subdirectories (due to
|
645 |
|
|
the linear search). Any solution should not place more than about 200 files
|
646 |
|
|
or subdirectories in a directory.
|
647 |
|
|
\item The solution should facilitate symlinking to split the file
|
648 |
|
|
repository across multiple volumes.
|
649 |
|
|
\item The solution must accommodate logical indices as large as $2^{64}-1$.\footnote{This design
|
650 |
|
|
goal applies because \emph{MySQL} allows 64-bit integers to be used as the primary
|
651 |
|
|
key for database tables.}
|
652 |
|
|
\item The solution must allow files to be aged out or deleted
|
653 |
|
|
randomly with respect to the integer indices (to comply with records retention
|
654 |
|
|
policies, because they are removed from the repository, or for other reasons).
|
655 |
|
|
\end{itemize}
|
656 |
|
|
|
657 |
|
|
In order to accommodate the constraints, files are stored in a directory structure
|
658 |
|
|
based on prime moduli of the database integer index $n$.
|
659 |
|
|
The lowest level of the directory structure contains a single
|
660 |
|
|
file per directory, with the lowest-level directory named being the
|
661 |
|
|
decimal representation of the
|
662 |
|
|
integer index $n$.
|
663 |
|
|
|
664 |
|
|
The definining equations for the directory path components are supplied below.
|
665 |
|
|
|
666 |
|
|
\begin{eqnarray}
|
667 |
|
|
\label{eq:ctbg0:sddd0:sfro0:00} d & = & 160 \\
|
668 |
|
|
\label{eq:ctbg0:sddd0:sfro0:01} c_0 & = & \lfloor n / d \rfloor \bmod 7 \\
|
669 |
|
|
\label{eq:ctbg0:sddd0:sfro0:02} c_1 & = & \lfloor n / d \rfloor \bmod 11 \\
|
670 |
|
|
\label{eq:ctbg0:sddd0:sfro0:03} c_2 & = & \lfloor n / d \rfloor \bmod 13 \\
|
671 |
|
|
\label{eq:ctbg0:sddd0:sfro0:04} c_3 & = & \lfloor n / d \rfloor \bmod 89 \\
|
672 |
|
|
\label{eq:ctbg0:sddd0:sfro0:05} c_4 & = & \lfloor n / d \rfloor \bmod 97 \\
|
673 |
|
|
\label{eq:ctbg0:sddd0:sfro0:06} c_5 & = & \lfloor n / d \rfloor \bmod 101 \\
|
674 |
|
|
\label{eq:ctbg0:sddd0:sfro0:07} c_6 & = & \lfloor n / d \rfloor \bmod 103 \\
|
675 |
|
|
\label{eq:ctbg0:sddd0:sfro0:08} c_7 & = & \lfloor n / d \rfloor \bmod 107 \\
|
676 |
|
|
\label{eq:ctbg0:sddd0:sfro0:09} c_8 & = & \lfloor n / d \rfloor \bmod 109 \\
|
677 |
|
|
\label{eq:ctbg0:sddd0:sfro0:10} c_9 & = & \lfloor n / d \rfloor \bmod 113
|
678 |
|
|
\end{eqnarray}
|
679 |
|
|
|
680 |
|
|
With reference to (\ref{eq:ctbg0:sddd0:sfro0:01})
|
681 |
|
|
through (\ref{eq:ctbg0:sddd0:sfro0:10}), the relative path within a file repository
|
682 |
|
|
to the directory containing a file with database index $n$ is\\
|
683 |
|
|
``$c_0$/$c_1$/$c_2$/$c_3$/$c_4$/$c_5$/$c_6$/$c_7$/$c_8$/$c_9$/$n$''\@.
|
684 |
|
|
Each path component $c_i$ and $n$ is the traditional human-friendly variable-length
|
685 |
|
|
representation:
|
686 |
|
|
for example, ``3'', ``25'', ```111', or ``36237456726''.
|
687 |
|
|
|
688 |
|
|
Note that the storage scheme proposed will handle indices
|
689 |
|
|
as large as $2^{64}-1$, i.e.
|
690 |
|
|
|
691 |
|
|
\begin{equation}
|
692 |
|
|
\label{eq:ctbg0:sddd0:sfro0:20}
|
693 |
|
|
d \times c_0 \times c_1 \times c_2 \times c_3 \times c_4
|
694 |
|
|
\times c_5 \times c_6 \times c_7 \times c_8 \times c_9 > 2^{64} - 1 .
|
695 |
|
|
\end{equation}
|
696 |
|
|
|
697 |
|
|
Note also that the first three
|
698 |
|
|
components ($c_0$, $c_1$, and $c_2$) are small and chosen for
|
699 |
|
|
convenient symlinking, whereas the last seven components ($c_3$ through $c_9$)
|
700 |
|
|
are chosen to increase the product rapidly while staying clear of the
|
701 |
|
|
*nix performance limit of approximately 200 entries per directory.
|
702 |
|
|
|
703 |
|
|
Two properties of the storage scheme proposed by (\ref{eq:ctbg0:sddd0:sfro0:01})
|
704 |
|
|
through (\ref{eq:ctbg0:sddd0:sfro0:10}) may require further explanation.
|
705 |
|
|
|
706 |
|
|
\begin{itemize}
|
707 |
|
|
\item The differential cost of storing a file in the repository is
|
708 |
|
|
approximately the file size (with operating system overhead)
|
709 |
|
|
plus approximately 1.0625 directories. This comes about because
|
710 |
|
|
every file requires its own directory, and because
|
711 |
|
|
every 160 files, 10 directories must be created.
|
712 |
|
|
\item If the index $n$ increases linearly, the number of files stored in
|
713 |
|
|
each directory (especially at the top levels) will be approximately
|
714 |
|
|
equal. (The reason for this is the coprimality of the divisors
|
715 |
|
|
used. The necessary proof comes from number theory, and isn't
|
716 |
|
|
included here.) This means that symlinking at the top levels will be
|
717 |
|
|
effective in evenly dividing storage requirements.
|
718 |
|
|
\end{itemize}
|
719 |
|
|
|
720 |
|
|
|
721 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
722 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
723 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
724 |
|
|
\subsection{Database Design to Support Core Functionality}
|
725 |
|
|
%Subsection tag: cfn0
|
726 |
|
|
\label{ctbg0:sddd0:scfn0}
|
727 |
|
|
|
728 |
|
|
The core functionality as described in Chapter \ref{ccfn0} consists of:
|
729 |
|
|
|
730 |
|
|
\begin{itemize}
|
731 |
|
|
\item Site navigation (\S{}\ref{ccfn0:ssng0}).
|
732 |
|
|
\item Authentication and login (\S{}\ref{ccfn0:salg0}).
|
733 |
|
|
\item Permission groups and attributes (\S{}\ref{ccfn0:sgra0}).
|
734 |
|
|
\item Notification (\S{}\ref{ccfn0:snot0}).
|
735 |
|
|
\item Action list (\S{}\ref{ccfn0:sacl0}).
|
736 |
|
|
\item Logging (\S{}\ref{ccfn0:slog0}).
|
737 |
|
|
\end{itemize}
|
738 |
|
|
|
739 |
|
|
Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00} provides an overview of the
|
740 |
|
|
tables involved in implementing the core functionality. In the figure,
|
741 |
|
|
for efficiency, note that three of the most frequently
|
742 |
|
|
used read-only tables (\emph{applications}, \emph{pages},
|
743 |
|
|
and \emph{navlines}) are implemented as lookup tables in
|
744 |
|
|
\emph{PHP} rather than
|
745 |
|
|
as \emph{MySQL} tables.\footnote{Presumably, the \emph{PHP}
|
746 |
|
|
interpreter parsing these tables is far more efficient than executing
|
747 |
|
|
an SQL query and processing the results.}
|
748 |
|
|
|
749 |
|
|
\begin{figure}
|
750 |
|
|
\centering
|
751 |
|
|
\includegraphics[width=4.6in]{c_tbg0/dbdesign01.eps}
|
752 |
|
|
\caption{User, Permission Group, Application, and Page Database Design}
|
753 |
|
|
\label{fig:ctbg0:sddd0:scfn0:spga0:00}
|
754 |
|
|
\end{figure}
|
755 |
|
|
|
756 |
|
|
|
757 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
758 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
759 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
760 |
|
|
\subsubsection{Users and Tokens}
|
761 |
|
|
%Subsubsection tag: utk0
|
762 |
|
|
\label{ctbg0:sddd0:scfn0:sutk0}
|
763 |
|
|
|
764 |
|
|
The database design includes a table of users (the \emph{users} table
|
765 |
|
|
in Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}). Each user who can log
|
766 |
|
|
in to the system has one record in this table. As mentioned
|
767 |
|
|
in \S{}????, each user always logs in using a userid that
|
768 |
|
|
represents the user---there
|
769 |
|
|
are no userids used solely for administration.
|
770 |
|
|
|
771 |
|
|
The \emph{users} table
|
772 |
|
|
(Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}) is related 1:1 with the
|
773 |
|
|
\emph{tokens} table.
|
774 |
|
|
Each user is optionally assigned a cryptographic token to use in
|
775 |
|
|
authenticating. Token assignment is on a per-user
|
776 |
|
|
basis, so that \emph{\productbasename{}-\productversion{}} will support:
|
777 |
|
|
|
778 |
|
|
\begin{itemize}
|
779 |
|
|
\item No users authenticating using cryptographic tokens.
|
780 |
|
|
\item Some users authenticating with cryptographic tokens, and some authenticating
|
781 |
|
|
without cryptographic tokens.
|
782 |
|
|
\item All users authenticating with cryptographic tokens.
|
783 |
|
|
\end{itemize}
|
784 |
|
|
|
785 |
|
|
|
786 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
787 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
788 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
789 |
|
|
\subsubsection{User Permission Attributes}
|
790 |
|
|
%Subsubsection tag: pga0
|
791 |
|
|
\label{ctbg0:sddd0:scfn0:spga0}
|
792 |
|
|
|
793 |
|
|
Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00} shows that the \emph{users} and
|
794 |
|
|
\emph{upermattrs} tables are related by the \emph{userupermattrs} table, providing
|
795 |
|
|
an $\infty{}:\infty{}$ mapping.
|
796 |
|
|
|
797 |
|
|
Each record in the \emph{userupermattrs} table also carries with it an
|
798 |
|
|
optional string. Such as string is interpreted as a user-specific value of the
|
799 |
|
|
related record in the \emph{upermattrs} table. As a
|
800 |
|
|
contrived example, one user may have
|
801 |
|
|
a value of MAX\_LOGINS of 2, and another user may have a value of 5.
|
802 |
|
|
|
803 |
|
|
If the optional string in the \emph{userupermattrs} table is the empty string,
|
804 |
|
|
then the $\infty{}:\infty{}$ relation effectively specifies a named set
|
805 |
|
|
of users. Such named sets are typically used to control user permissions
|
806 |
|
|
in a fine-grained way---a given group may contain the users who can add
|
807 |
|
|
products to the \emph{products} table, for example.
|
808 |
|
|
|
809 |
|
|
|
810 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
811 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
812 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
813 |
|
|
\subsubsection{User Persistent Named State}
|
814 |
|
|
%Subsubsection tag: upn0
|
815 |
|
|
\label{ctbg0:sddd0:scfn0:supn0}
|
816 |
|
|
|
817 |
|
|
User permission attributes do not change as the result of ordinary usage of
|
818 |
|
|
the \emph{\productbasename{}-\productversion{}} system. Although
|
819 |
|
|
user permission attributes can be modified, this is an administrative action
|
820 |
|
|
and does not happen often.
|
821 |
|
|
|
822 |
|
|
For state bound to a user which may change often, the
|
823 |
|
|
\emph{upns} table (Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}) is
|
824 |
|
|
provided. This state is very similar in spirit to what may be contained
|
825 |
|
|
in the \emph{Windows} registry.
|
826 |
|
|
|
827 |
|
|
Each record in the \emph{upns} table consists of a name and a value.
|
828 |
|
|
|
829 |
|
|
For each user, the names in the \emph{upns} table must be unique (no
|
830 |
|
|
duplicates are allowed).
|
831 |
|
|
|
832 |
|
|
A naming convention is used so that each entry in the \emph{upns} table
|
833 |
|
|
is bound to a specific application and page. The \emph{upns} table is indexed
|
834 |
|
|
by name for fast retrieval.
|
835 |
|
|
|
836 |
|
|
|
837 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
838 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
839 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
840 |
|
|
\subsubsection{Sessions}
|
841 |
|
|
%Subsubsection tag: ses0
|
842 |
|
|
\label{ctbg0:sddd0:scfn0:sses0}
|
843 |
|
|
|
844 |
|
|
A \emph{session} is the relationship between the server and a client during
|
845 |
|
|
a single login (whether as a named user or a guest).
|
846 |
|
|
|
847 |
|
|
Sessions are stored in the \emph{sessions} table
|
848 |
|
|
(Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}). Each record in the
|
849 |
|
|
\emph{sessions} table contains the session identifier, information about the
|
850 |
|
|
user, information about the time of the last actions associated with the
|
851 |
|
|
session, etc.
|
852 |
|
|
|
853 |
|
|
|
854 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
855 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
856 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
857 |
|
|
\subsubsection{Session Temporary Named State}
|
858 |
|
|
%Subsubsection tag: stn0
|
859 |
|
|
\label{ctbg0:sddd0:scfn0:sstn0}
|
860 |
|
|
|
861 |
|
|
State that should be stored associated with a session rather than a user
|
862 |
|
|
(i.e. that should be deleted when a session ends) is stored in the
|
863 |
|
|
\emph{stns} table (Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}).
|
864 |
|
|
|
865 |
|
|
Each entry in the \emph{stns} table consists of a name and a value.
|
866 |
|
|
Within each session, each name in the \emph{stns} table must be unique.
|
867 |
|
|
|
868 |
|
|
A naming convention is used so that each entry in the \emph{stns} table
|
869 |
|
|
is bound to a specific application and page. The \emph{stns} table is indexed
|
870 |
|
|
by name for fast retrieval.
|
871 |
|
|
|
872 |
|
|
|
873 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
874 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
875 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
876 |
|
|
\subsubsection{Chain of Command}
|
877 |
|
|
%Subsubsection tag: coc0
|
878 |
|
|
\label{ctbg0:sddd0:scfn0:scoc0}
|
879 |
|
|
|
880 |
|
|
In some contexts, \emph{\productbasename{}-\productversion{}} components
|
881 |
|
|
need to make decisions based on reporting relationships between
|
882 |
|
|
employees. For example, some information about an employee should only
|
883 |
|
|
be viewable or editable by those above the employee in the chain of command.
|
884 |
|
|
|
885 |
|
|
The database contains an \emph{enterprises} table
|
886 |
|
|
(Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}) and an
|
887 |
|
|
\emph{usersenterprises} table that provide a
|
888 |
|
|
$\infty{}:\infty{}$ mapping between \emph{users}
|
889 |
|
|
and \emph{enterprises}. A given user may belong to more than one
|
890 |
|
|
enterprise and may exist in reporting relationships in more than
|
891 |
|
|
one enterprise.
|
892 |
|
|
|
893 |
|
|
The database also contains a \emph{cocrels} table
|
894 |
|
|
(Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}) that can capture
|
895 |
|
|
reporting relationships between employees for each enterprise.
|
896 |
|
|
Both normal reporting relationships
|
897 |
|
|
and matrix reporting relationships can be captured.
|
898 |
|
|
|
899 |
|
|
|
900 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
901 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
902 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
903 |
|
|
\subsubsection{Login Attempts}
|
904 |
|
|
%Subsubsection tag: lat0
|
905 |
|
|
\label{ctbg0:sddd0:scfn0:slat0}
|
906 |
|
|
|
907 |
|
|
The database contains a \emph{loginattempts} table
|
908 |
|
|
(Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}).
|
909 |
|
|
The \emph{loginattempts} records unsuccessful login attempts that meet criteria
|
910 |
|
|
in order to implement security policies that involve the maximum number of
|
911 |
|
|
certain types of login attempts in a period of time.\footnote{In principle,
|
912 |
|
|
the \emph{logentries} table also contains enough information to implement
|
913 |
|
|
security policies, but the design is more versatile if a separate table
|
914 |
|
|
is used for this purpose.}
|
915 |
|
|
|
916 |
|
|
|
917 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
918 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
919 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
920 |
|
|
\subsubsection{User Templates}
|
921 |
|
|
%Subsubsection tag: utp0
|
922 |
|
|
\label{ctbg0:sddd0:scfn0:sutp0}
|
923 |
|
|
|
924 |
|
|
In a mature deployment of \emph{\productbasename{}-\productversion{}},
|
925 |
|
|
a typical user may have dozens of associated permission attributes.
|
926 |
|
|
Creating a new user would be quite tedious if a complex set of permission
|
927 |
|
|
attributes need to be created at the same time.
|
928 |
|
|
|
929 |
|
|
To make this process easier, user templates are provided via the
|
930 |
|
|
\emph{utemplates} and \emph{utemplatespermgroups} tables depicted in
|
931 |
|
|
Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}. A user template gives
|
932 |
|
|
a one-click way to create a user with a complex set of permission attributes.
|
933 |
|
|
|
934 |
|
|
A user template contains the same type of $\infty{}:\infty{}$
|
935 |
|
|
relation to the \emph{permattrs} table as a user. Creating a new user
|
936 |
|
|
from a user template is a relatively straightforward process of copying.
|
937 |
|
|
|
938 |
|
|
In general, a user may create another user if and only if:
|
939 |
|
|
|
940 |
|
|
\begin{itemize}
|
941 |
|
|
\item The user has the permission attribute set to be able to create
|
942 |
|
|
other users.
|
943 |
|
|
\item The security level integer of the created user is greater than that of
|
944 |
|
|
the creating user.
|
945 |
|
|
\item All ranked permission attributes of the created user are inferior to those of
|
946 |
|
|
the creating user.
|
947 |
|
|
\end{itemize}
|
948 |
|
|
|
949 |
|
|
|
950 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
951 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
952 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
953 |
|
|
\subsubsection{Site Navigation}
|
954 |
|
|
%Subsubsection tag: snv0
|
955 |
|
|
\label{ctbg0:sddd0:scfn0:ssnv0}
|
956 |
|
|
|
957 |
|
|
The left navigation pane of the \emph{\productbasename{}-\productversion{}}
|
958 |
|
|
displays a hierarchical set of links to pages. The left navigation page
|
959 |
|
|
is hierarchical in the sense that links to pages may be displayed under headings
|
960 |
|
|
or sub-headings. The logic used to
|
961 |
|
|
display links is:
|
962 |
|
|
|
963 |
|
|
\begin{itemize}
|
964 |
|
|
\item Each page in the \emph{pages} table contains a set of \emph{permgroups}.
|
965 |
|
|
Any user must be a member of at least one of the set of \emph{permgroups}
|
966 |
|
|
in order for the link to the page to be displayed (and in order to use
|
967 |
|
|
the services of the page at all).
|
968 |
|
|
\item A heading or sub-heading is displayed if and only if there is at least
|
969 |
|
|
one page link under the heading or sub-heading that, based on
|
970 |
|
|
the required \emph{permgroups}, should be displayed. (Headings and
|
971 |
|
|
sub-headings automatically drop out when there are no page links under
|
972 |
|
|
them.)
|
973 |
|
|
\end{itemize}
|
974 |
|
|
|
975 |
|
|
The relationship between
|
976 |
|
|
\emph{applications}, \emph{pages}, and \emph{navlines} shown
|
977 |
|
|
in Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00} has these
|
978 |
|
|
elements:
|
979 |
|
|
|
980 |
|
|
\begin{itemize}
|
981 |
|
|
\item \emph{applications} have a $1:\infty$ relationship with the
|
982 |
|
|
\emph{pages}. Every page is a member of exactly one application.
|
983 |
|
|
\item The \emph{navlines} specify the headings and page links that may appear
|
984 |
|
|
(depending on \emph{permgroups}) in the left navigation pane. A given page
|
985 |
|
|
may appear in more than one location in the left navigation pane (hence
|
986 |
|
|
the $\infty{}:1$ relationship\footnote{With the additional caveat that
|
987 |
|
|
a page is not required to appear in the left navigation pane---some pages
|
988 |
|
|
can only be reached indirectly.}).
|
989 |
|
|
\end{itemize}
|
990 |
|
|
|
991 |
|
|
Note that the \emph{pages} and \emph{applications} tables are linked to
|
992 |
|
|
from other tables (these relationships are not shown due to complexity constraints
|
993 |
|
|
in Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}). For
|
994 |
|
|
example, the \emph{globalvars} table is linked by page and application
|
995 |
|
|
so that the variables relevant to a page can be extracted more economically.
|
996 |
|
|
|
997 |
|
|
|
998 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
999 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1000 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1001 |
|
|
\subsubsection{Products and Product Components}
|
1002 |
|
|
%Subsubsection tag: pcn0
|
1003 |
|
|
\label{ctbg0:sddd0:scfn0:spcn0}
|
1004 |
|
|
|
1005 |
|
|
The \emph{products}, \emph{pcomponents}, \emph{psubcomponents},
|
1006 |
|
|
and \emph{pversions} tables in Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}
|
1007 |
|
|
define the products that are produced. Note that a version can only
|
1008 |
|
|
be associated with a product (rather than a component or subcomponent
|
1009 |
|
|
of a product).
|
1010 |
|
|
|
1011 |
|
|
The exact semantics of what constitutes a product, product component,
|
1012 |
|
|
and product subcomponent is naturally dependent on the organization.
|
1013 |
|
|
|
1014 |
|
|
|
1015 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1016 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1017 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1018 |
|
|
\subsubsection{File Repository Organization}
|
1019 |
|
|
%Subsubsection tag: fro0
|
1020 |
|
|
\label{ctbg0:sddd0:scfn0:sfro0}
|
1021 |
|
|
|
1022 |
|
|
The information maintained about the file repository files in the
|
1023 |
|
|
\emph{MySQL} database is maintained in the \emph{frfiles},
|
1024 |
|
|
\emph{frfilesfrfusages}, and \emph{frfusages} tables
|
1025 |
|
|
(Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}). These three
|
1026 |
|
|
tables create a $\infty{}:\infty{}$ mapping between
|
1027 |
|
|
the \emph{frfiles} and \emph{frfusages} tables.
|
1028 |
|
|
|
1029 |
|
|
The \emph{frfiles} table contains one record per file in the
|
1030 |
|
|
file repository. Each of these records contains all direct information
|
1031 |
|
|
about the stored file (location, SHA1 hash value, etc.).
|
1032 |
|
|
|
1033 |
|
|
The \emph{frfilesfrfusages} and \emph{frfusages} tables are necessary because
|
1034 |
|
|
there are PHP scripts that:
|
1035 |
|
|
|
1036 |
|
|
\begin{itemize}
|
1037 |
|
|
\item Display information about a file in the file repository.
|
1038 |
|
|
\item Serve the contents of a file in the file repository.
|
1039 |
|
|
\end{itemize}
|
1040 |
|
|
|
1041 |
|
|
These scripts must be able to determine whether a given user is authorized to
|
1042 |
|
|
view information about a file repository file or download the file.
|
1043 |
|
|
The difficulty in making this determination is that the file repository is
|
1044 |
|
|
is shared among many applications. Without some sort of a hint, the process
|
1045 |
|
|
of determining whether a user may view information about a repository file
|
1046 |
|
|
or download it would be an iterative process of checking every
|
1047 |
|
|
\emph{\productbasename{}-\productversion{}} application to determine if it
|
1048 |
|
|
has involvement with the repository file and if the user has permissions for the
|
1049 |
|
|
file. The \emph{frfusages} table is a table of possible usages for a file
|
1050 |
|
|
repository file. Using this table, the applications to check for file permissions
|
1051 |
|
|
should be reduced in a typical case to one or two.
|
1052 |
|
|
|
1053 |
|
|
At the present time, each usage of a file repository file is simply
|
1054 |
|
|
an integer, and so the \emph{frfusages} is superfluous (the integer could
|
1055 |
|
|
simply be stored directly in the \emph{frfilesfrusages} table). However,
|
1056 |
|
|
the more complex schema is used in case future expansion or enhancement
|
1057 |
|
|
occurs.
|
1058 |
|
|
|
1059 |
|
|
|
1060 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1061 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1062 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1063 |
|
|
\subsubsection{Global Variables}
|
1064 |
|
|
%Subsubsection tag: gvr0
|
1065 |
|
|
\label{ctbg0:sddd0:scfn0:sgvr0}
|
1066 |
|
|
|
1067 |
|
|
The database includes a table of global variables
|
1068 |
|
|
(the \emph{globalvars} table in Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00},
|
1069 |
|
|
p. \pageref{fig:ctbg0:sddd0:scfn0:spga0:00}).
|
1070 |
|
|
|
1071 |
|
|
Global variables have these uses:
|
1072 |
|
|
|
1073 |
|
|
\begin{itemize}
|
1074 |
|
|
\item Influencing the behavior of applications (global variables often override
|
1075 |
|
|
default behavior---similar to the typical behavior of \emph{Unix} environment
|
1076 |
|
|
variables). For example, the web interface to the database can be taken
|
1077 |
|
|
offline by setting a global variable.
|
1078 |
|
|
\item Mutual exclusion: for example, a global variable is used to ensure that two instances
|
1079 |
|
|
of the maintenance script don't run concurrently.
|
1080 |
|
|
\item Application persistent state: state that is not bound to a user or a session
|
1081 |
|
|
(discussed later) can be stored in global variables (similar to the behavior of
|
1082 |
|
|
the \emph{Windows} registry).
|
1083 |
|
|
\end{itemize}
|
1084 |
|
|
|
1085 |
|
|
Global variables have these essential characteristics:
|
1086 |
|
|
|
1087 |
|
|
\begin{itemize}
|
1088 |
|
|
\item The name of a global variable must be unique (duplicate names in the
|
1089 |
|
|
\emph{globalvars} table are not allowed). In order to facilitate and
|
1090 |
|
|
guarantee uniqueness, a naming convention
|
1091 |
|
|
(\S{}\ref{ctbg0:sddd0:sgsn0}, p. \pageref{ctbg0:sddd0:sgsn0}) is used that
|
1092 |
|
|
names the global variables by application then page.
|
1093 |
|
|
\item The \emph{globalvars} table is indexed by variable name.
|
1094 |
|
|
\end{itemize}
|
1095 |
|
|
|
1096 |
|
|
|
1097 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1098 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1099 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1100 |
|
|
\subsubsection{Logging}
|
1101 |
|
|
%Subsubsection tag: log0
|
1102 |
|
|
\label{ctbg0:sddd0:scfn0:slog0}
|
1103 |
|
|
|
1104 |
|
|
\emph{\productbasename{}-\productversion{}} maintains a log in the form of
|
1105 |
|
|
a database table (the \emph{logentries} table in Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00},
|
1106 |
|
|
p. \pageref{fig:ctbg0:sddd0:scfn0:spga0:00}). This database table
|
1107 |
|
|
contains indexed columns so that the log can be viewed based on
|
1108 |
|
|
chronological order, application, log entry type, and security threat level.
|
1109 |
|
|
|
1110 |
|
|
|
1111 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1112 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1113 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1114 |
|
|
\subsubsection{Inbox}
|
1115 |
|
|
%Subsubsection tag: inb0
|
1116 |
|
|
\label{ctbg0:sddd0:scfn0:sinb0}
|
1117 |
|
|
|
1118 |
|
|
When certain events/actions occur, one or more users should be notified.
|
1119 |
|
|
The notices are inserted into the \emph{inbox} table
|
1120 |
|
|
(Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00}).
|
1121 |
|
|
|
1122 |
|
|
Presently, only the \emph{inbox} is implemented, and is used only for
|
1123 |
|
|
automatic notifications from applications. In the future, a more general messaging
|
1124 |
|
|
system (with the ability to send/receive e-mail or the ability to send/receive
|
1125 |
|
|
messages to other users) may be implemented.
|
1126 |
|
|
|
1127 |
|
|
|
1128 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1129 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1130 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1131 |
|
|
\subsubsection{Host E-mail Preferences}
|
1132 |
|
|
%Subsubsection tag: hep0
|
1133 |
|
|
\label{ctbg0:sddd0:scfn0:shep0}
|
1134 |
|
|
|
1135 |
|
|
Notifications are always sent to the \emph{inbox} and can be viewed by the user.
|
1136 |
|
|
For each user, it can be configured whether notifications are also sent to
|
1137 |
|
|
the user's e-mail address(es).
|
1138 |
|
|
|
1139 |
|
|
There are two concerns with injecting e-mail bound for remote hosts:
|
1140 |
|
|
|
1141 |
|
|
\begin{itemize}
|
1142 |
|
|
\item Some remote hosts may filter for SPAM by limiting the number of
|
1143 |
|
|
e-mails that can delivered from a certain host. With these remote hosts,
|
1144 |
|
|
e-mail injection must be rate-limited.
|
1145 |
|
|
\item A software bug could result in a large number of notifications erroneously
|
1146 |
|
|
created. Rate-limiting all e-mail injections for remote hosts is prudent.
|
1147 |
|
|
\end{itemize}
|
1148 |
|
|
|
1149 |
|
|
The \emph{hostemailprefs} table (Figure \ref{fig:ctbg0:sddd0:scfn0:spga0:00})
|
1150 |
|
|
is a table of regular expressions designed to match e-mail addresses.
|
1151 |
|
|
During the high-frequency maintenance script, the \emph{hostemailprefs}
|
1152 |
|
|
records are scanned in a specific order in an attempt to match
|
1153 |
|
|
the outgoing e-mail address. The data in the first match is used to control
|
1154 |
|
|
the generation of outgoing e-mail.
|
1155 |
|
|
|
1156 |
|
|
Note that generation of outgoing notification e-mail is simply a process of
|
1157 |
|
|
sending each message in the \emph{inbox} table subject to user preferences
|
1158 |
|
|
and rules in the \emph{hostemailprefs} table.
|
1159 |
|
|
|
1160 |
|
|
|
1161 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1162 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1163 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1164 |
|
|
\section{Product Design Decisions and Discussion}
|
1165 |
|
|
%Section tag: ddc0
|
1166 |
|
|
\label{ctbg0:sddc0}
|
1167 |
|
|
|
1168 |
|
|
|
1169 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1170 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1171 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1172 |
|
|
\subsection{Two-Factor Authentication}\index{two-factor authentication}
|
1173 |
|
|
%Subection tag: tfa0
|
1174 |
|
|
\label{ctbg0:sddc0:stfa0}
|
1175 |
|
|
|
1176 |
|
|
\emph{Two-factor authentication}\index{two-factor authentication} is the practice of
|
1177 |
|
|
authenticating users based on both something the user \emph{knows} (typically a password)
|
1178 |
|
|
and something the user \emph{has} (typically a cryptographic token).
|
1179 |
|
|
|
1180 |
|
|
It is anticipated that \emph{\productbasename{}} will be used from airport
|
1181 |
|
|
kiosks and other locations where password capture is a very tangible possibility.
|
1182 |
|
|
|
1183 |
|
|
The best known countermeasure against password capture and password guessing is
|
1184 |
|
|
one-time passwords\index{one-time password} (OTPs) generated by a
|
1185 |
|
|
cryptographic token.
|
1186 |
|
|
|
1187 |
|
|
OTPs generated by a cryptographic token are effective against password capture because
|
1188 |
|
|
each one-time password generated can be used only once and is useless in the future.
|
1189 |
|
|
OTP capture is not helpful to an attacker.
|
1190 |
|
|
|
1191 |
|
|
OTPs generated by a cryptographic token are effective against password guessing
|
1192 |
|
|
because the OTPs generated have an approximately uniform
|
1193 |
|
|
distribution across the space of all
|
1194 |
|
|
OTPs that can be generated. This is unlike passwords generated by humans,
|
1195 |
|
|
which tend to involve language words and may facilitate guessing.
|
1196 |
|
|
|
1197 |
|
|
|
1198 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1199 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1200 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1201 |
|
|
\subsubsection{Overview of the Solution}
|
1202 |
|
|
%Subsubsection tag: ovs0
|
1203 |
|
|
\label{ctbg0:sddc0:stfa0:sovs0}
|
1204 |
|
|
|
1205 |
|
|
%Note to self: .JPG was converted to .EPS on *nix box using
|
1206 |
|
|
%"convert cckt1_01.jpg cckt1_01.eps", with no additonal options
|
1207 |
|
|
%or qualifiers. .EPS ended up to be quite large.
|
1208 |
|
|
%
|
1209 |
|
|
\begin{figure}
|
1210 |
|
|
\centering
|
1211 |
|
|
\includegraphics[width=4.6in]{c_tbg0/cckt1_01.eps}
|
1212 |
|
|
\caption{CryptoCard KT-1 Keychain Token}
|
1213 |
|
|
\label{fig:ctbg0:sddc0:stfa0:sovs0:00}
|
1214 |
|
|
\end{figure}
|
1215 |
|
|
|
1216 |
|
|
The model of token supported by \emph{\productbasename{}}
|
1217 |
|
|
is the CryptoCard\index{CryptoCard Corporation}
|
1218 |
|
|
KT-1 keychain token\index{KT-1 keychain cryptographic token}
|
1219 |
|
|
(Fig. \ref{fig:ctbg0:sddc0:stfa0:sovs0:00}).
|
1220 |
|
|
|
1221 |
|
|
|
1222 |
|
|
On a per-user basis, logins to \emph{\productbasename{}} may be either with:
|
1223 |
|
|
|
1224 |
|
|
\begin{itemize}
|
1225 |
|
|
\item Userid and password.
|
1226 |
|
|
\item Userid, password, and OTP.
|
1227 |
|
|
\end{itemize}
|
1228 |
|
|
|
1229 |
|
|
The cryptographic basis of the CryptoCard KT-1 token and similar products
|
1230 |
|
|
is that:
|
1231 |
|
|
|
1232 |
|
|
\begin{itemize}
|
1233 |
|
|
\item The token is programmed with a key that cannot be extracted\footnote{The
|
1234 |
|
|
ability to extract the key from the token is equivalent to being able
|
1235 |
|
|
to predict all future OTPs that will be generated by the token, and hence
|
1236 |
|
|
would render the token useless as a security device.}, and this key is known
|
1237 |
|
|
to the \emph{\productbasename{}} software.
|
1238 |
|
|
\item Mathematically, there is no way to reverse-engineer the key by observing
|
1239 |
|
|
OTPs generated by the token; hence there is no way to predict future
|
1240 |
|
|
OTPs generated by the token based on observing past OTPs.
|
1241 |
|
|
\end{itemize}
|
1242 |
|
|
|
1243 |
|
|
\emph{\productbasename{}} utilizes the CryptoCard KT-1 token configured
|
1244 |
|
|
so that each of the 8 displayed OTP characters can be one of 32 different
|
1245 |
|
|
possibilities.\footnote{The KT-1 token can also be configured so that
|
1246 |
|
|
each of the 8 OTP characters can be one of 64 possibilities, leading to
|
1247 |
|
|
$64^8 = 2.8 \times 10^{14}$ OTPs. The base-32
|
1248 |
|
|
OTPs were chosen because they are case-insensitive and lead to fewer user
|
1249 |
|
|
data entry errors.}
|
1250 |
|
|
The number of possible OTPs is thus $32^8 = 1.1 \times 10^{12}$.
|
1251 |
|
|
The large number of OTPs makes a brute-force attack unattractive---even with 10 guesses
|
1252 |
|
|
per second, the expected time to guess an OTP would be 1,700 years.
|
1253 |
|
|
|
1254 |
|
|
The CryptoCard KT-1 keychain token is an event-driven device---it generates
|
1255 |
|
|
sequential OTPs according to a mathematical sequence, with one OTP generated
|
1256 |
|
|
at each activation of the token. The \productbasename{} software, because
|
1257 |
|
|
it has access to the token key, is able to predict the OTPs that should be
|
1258 |
|
|
generated by the token. The \productbasename{} software also allows approximately
|
1259 |
|
|
three\footnote{Configurable: three is the default value.}
|
1260 |
|
|
of the predicted sequential OTPs to be used, in case the KT-1 token was activated
|
1261 |
|
|
and the OTP never used.\footnote{This might happen, for example, if the token button
|
1262 |
|
|
is accidentally pressed by objects in the user's pockets, or if children are
|
1263 |
|
|
allowed to play with the token.}
|
1264 |
|
|
|
1265 |
|
|
It can occur, however, that the KT-1 token falls out of synchronization with
|
1266 |
|
|
the \productbasename{} software. In this case, the token allows a resynchronization
|
1267 |
|
|
procedure where the user enters a resynchronization string (8 digits,
|
1268 |
|
|
allowing for $10^8$ different values). When the token is supplied
|
1269 |
|
|
with a resynchronization string, it resets its internal state and provides
|
1270 |
|
|
an OTP. This procedure allows the token and the \productbasename{} software
|
1271 |
|
|
to be brought back into synchronization.
|
1272 |
|
|
|
1273 |
|
|
Note to self: in conversation with Bill LaHam in late October 2009, Bill indicated
|
1274 |
|
|
that the traditional approach with tokens is to have an inner window and an outer
|
1275 |
|
|
window. A typical inner window might be of size 3, and a typical outer window might
|
1276 |
|
|
be of size 1000.
|
1277 |
|
|
|
1278 |
|
|
\begin{itemize}
|
1279 |
|
|
\item If the token value falls within the inner window, it is authenticated without
|
1280 |
|
|
any other verification steps.
|
1281 |
|
|
\item If the token value is not within the inner window but is within the outer
|
1282 |
|
|
window, two (additional?) consecutive values are required for authentication.
|
1283 |
|
|
\item If the token value is not within the inner window and not within the
|
1284 |
|
|
outer window, some sort of resynchronization is required.
|
1285 |
|
|
\end{itemize}
|
1286 |
|
|
|
1287 |
|
|
The size of the inner window is a major security risk (it raises the probability
|
1288 |
|
|
of a successful guess), so it should be small. The outer window is not a security
|
1289 |
|
|
concern at all.
|
1290 |
|
|
|
1291 |
|
|
Need to incorporate the information from Bill into this document and the
|
1292 |
|
|
strategy in this documennt.
|
1293 |
|
|
|
1294 |
|
|
|
1295 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1296 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1297 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1298 |
|
|
\subsubsection{Additional Prudent User Authentication Practices}
|
1299 |
|
|
%Subsubsection tag: aap0
|
1300 |
|
|
\label{ctbg0:sddc0:stfa0:saap0}
|
1301 |
|
|
|
1302 |
|
|
Even when OTPs are employed, it is not prudent to allow an attacker
|
1303 |
|
|
a large number of authentication attempts. The following
|
1304 |
|
|
prudent practices are also used by the \productbasename{} software.
|
1305 |
|
|
|
1306 |
|
|
\begin{enumerate}
|
1307 |
|
|
\item Resynchronization strings are provided by the server, are generated
|
1308 |
|
|
as sequential values (``00000000'', ``00000001'', ``00000002'', etc.),
|
1309 |
|
|
and are only reused with a period of $10^8$. (This is designed to
|
1310 |
|
|
elmiminate an attacker's ability to observe how a token responds to
|
1311 |
|
|
a specific resynchronization string and to reuse this information as
|
1312 |
|
|
part of an attack.)
|
1313 |
|
|
\item Unsuccessful authentication attempts that involve an invalid userid
|
1314 |
|
|
are logged but otherwise simply ignored.
|
1315 |
|
|
\item Unsuccessful authentication attempts that involve a valid userid but
|
1316 |
|
|
both invalid password and invalid OTP are logged but otherwise
|
1317 |
|
|
simply ignored.
|
1318 |
|
|
\item Unsuccessful authentication attempts involving a valid userid and
|
1319 |
|
|
either a valid password and invalid OTP or invalid password and valid
|
1320 |
|
|
OTP\footnote{In the case of a user for whom two-factor authentication
|
1321 |
|
|
is not enabled, valid userid and invalid password are treated as described
|
1322 |
|
|
here---the key element is that the attacker appears to be ``one piece''
|
1323 |
|
|
away from a successful attack.}
|
1324 |
|
|
are treated more aggressively because this case hints at an attacker
|
1325 |
|
|
who has obtained a user's password but has no token or has obtained a token
|
1326 |
|
|
but does not have the user's password, and is ``fishing'' for the missing
|
1327 |
|
|
piece. If a sufficient number of these attacks directed at the userid have
|
1328 |
|
|
occurred from the same IP in a short period of time, login ability for
|
1329 |
|
|
this userid from the affected IP is silently disabled for a period of
|
1330 |
|
|
time.\footnote{\emph{Silently} means that the web interface will only indicate
|
1331 |
|
|
unsuccessful authentication, and will give no indication that a probable attack
|
1332 |
|
|
has been detected or that authentication for the affected userid from the
|
1333 |
|
|
affected IP is temporarily impossible. \emph{Disabled} means that even if
|
1334 |
|
|
correct authentication credentials are provided, they will be rejected. The
|
1335 |
|
|
purpose of this policy is to eliminate the ability of an attacker to try large
|
1336 |
|
|
numbers of attacks in a short period of time, and to deny an attacker information
|
1337 |
|
|
about how to better mount an attack.}
|
1338 |
|
|
\end{enumerate}
|
1339 |
|
|
|
1340 |
|
|
|
1341 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1342 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1343 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1344 |
|
|
\subsection{Per-User Authentication and Administrative Rights}
|
1345 |
|
|
%Subsection tag: pua0
|
1346 |
|
|
\label{ctbg0:sddc0:spua0}
|
1347 |
|
|
|
1348 |
|
|
\emph{\productbasename{}-\productversion{}} has no notion of an
|
1349 |
|
|
``administrative'' or ``master'' password. Each individual user
|
1350 |
|
|
logs in using a user-ID identifying themselves, even to perform
|
1351 |
|
|
administrative tasks.
|
1352 |
|
|
|
1353 |
|
|
Tasks are divided into two groups:
|
1354 |
|
|
|
1355 |
|
|
\begin{itemize}
|
1356 |
|
|
\item Ordinary tasks (that typically view data or moves workproducts
|
1357 |
|
|
through a process).
|
1358 |
|
|
\item Administrative tasks that:
|
1359 |
|
|
\begin{itemize}
|
1360 |
|
|
\item Represent administration of the \emph{\productbasename{}-\productversion{}}
|
1361 |
|
|
software, rather than usage of the software; AND/OR
|
1362 |
|
|
\item Are sensitive to mistakes, and could destroy or corrupt
|
1363 |
|
|
data.
|
1364 |
|
|
\end{itemize}
|
1365 |
|
|
\end{itemize}
|
1366 |
|
|
|
1367 |
|
|
\emph{\productbasename{}-\productversion{}} allows two types of logins:
|
1368 |
|
|
|
1369 |
|
|
\begin{itemize}
|
1370 |
|
|
\item \emph{Normal login}: the user has priveleges only to perform
|
1371 |
|
|
non-administrative tasks.
|
1372 |
|
|
\item \emph{Administrative login}: the user has priveleges to perform
|
1373 |
|
|
non-administrative and administrative tasks.
|
1374 |
|
|
\end{itemize}
|
1375 |
|
|
|
1376 |
|
|
In order to perform a normal login, the user simply enters their
|
1377 |
|
|
user-ID (``\emph{jsmith}'', for example) as the user-ID when logging in.
|
1378 |
|
|
|
1379 |
|
|
In order to perform an administrative login, the user enters their
|
1380 |
|
|
user-ID postfixed with an asterisk (``\emph{jsmith*}'', for
|
1381 |
|
|
example as the user-ID when logging in. When a user has performed an
|
1382 |
|
|
administrative login, the color scheme used for the web pages
|
1383 |
|
|
is based on the color red rather than on blues and grays.
|
1384 |
|
|
|
1385 |
|
|
The only way to switch between normal and administrative logins
|
1386 |
|
|
is by logging out and logging in again.
|
1387 |
|
|
|
1388 |
|
|
|
1389 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1390 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1391 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1392 |
|
|
\subsection{\emph{su} Logins}
|
1393 |
|
|
%Subsection tag: sul0
|
1394 |
|
|
\label{ctbg0:sddc0:ssul0}
|
1395 |
|
|
|
1396 |
|
|
\index{su login@\emph{su} login}It is helpful in some
|
1397 |
|
|
situations to be able to log in as a different user. Such logins are
|
1398 |
|
|
called \emph{su} logins (after the *nix \emph{su} command). These situations
|
1399 |
|
|
include:
|
1400 |
|
|
|
1401 |
|
|
\begin{itemize}
|
1402 |
|
|
\item Testing.
|
1403 |
|
|
\item Performing actions on behalf of other users.
|
1404 |
|
|
\end{itemize}
|
1405 |
|
|
|
1406 |
|
|
In order to \emph{su} as another user, the user logging in
|
1407 |
|
|
must enter a user-ID of the form ``\emph{actualuser as suuser}''
|
1408 |
|
|
as the user-ID when logging in. ``\emph{actualuser as suuser*}'' can
|
1409 |
|
|
also be used for an \emph{su} administrative login.
|
1410 |
|
|
|
1411 |
|
|
In order to perform an \emph{su} login as another user, a user
|
1412 |
|
|
must have strictly superior priveleges. Specifically:
|
1413 |
|
|
|
1414 |
|
|
\begin{itemize}
|
1415 |
|
|
\item The \emph{seclvl} of the actual user must be
|
1416 |
|
|
a smaller integer than the \emph{seclvl} of the \emph{su} user.
|
1417 |
|
|
\item The actual user must have at least every permission attribute
|
1418 |
|
|
that the \emph{su} user has.
|
1419 |
|
|
\item For those permission attributes that are ranked, the ranking
|
1420 |
|
|
must be at least as great as the \emph{su} user.
|
1421 |
|
|
\end{itemize}
|
1422 |
|
|
|
1423 |
|
|
Once the login is complete, the \emph{su} login is indistinguishable from an
|
1424 |
|
|
actual login except for the log entries. The session maintained does
|
1425 |
|
|
not contain any state to indicate that it represents an \emph{su} login.
|
1426 |
|
|
|
1427 |
|
|
|
1428 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1429 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1430 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1431 |
|
|
\subsection{Multiple Logins}
|
1432 |
|
|
%Subsection tag: mlo0
|
1433 |
|
|
\label{ctbg0:sddc0:smlo0}
|
1434 |
|
|
|
1435 |
|
|
The maximum number of logins per user is a global configuration
|
1436 |
|
|
constant, defined in the \texttt{config.inc} \emph{PHP} file.
|
1437 |
|
|
The default value is 3.
|
1438 |
|
|
|
1439 |
|
|
If the maximum number of logins is reached and another user
|
1440 |
|
|
successfully authenticates with the
|
1441 |
|
|
same user-ID, the session with the oldest creation time is destroyed (forcibly
|
1442 |
|
|
logging out this instance of the user).
|
1443 |
|
|
|
1444 |
|
|
|
1445 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1446 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1447 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1448 |
|
|
\subsection{The Standard Hash Function}
|
1449 |
|
|
%Subection tag: shf0
|
1450 |
|
|
\label{ctbg0:sddc0:sshf0}
|
1451 |
|
|
|
1452 |
|
|
The \index{standard hash function}\emph{standard hash function} is the
|
1453 |
|
|
standard way that the \emph{\productbasename{}-\productversion{}} software
|
1454 |
|
|
maps between a number of arbitrary input arguments and a 160-bit
|
1455 |
|
|
SHA1 hash. The standard hash function involves mixing
|
1456 |
|
|
the input arguments with a secret hash key
|
1457 |
|
|
(described in \S{}\ref{ctbg0:sdty0:sthk0}).
|
1458 |
|
|
|
1459 |
|
|
If `+' is used to represent the string concatenation operation, all
|
1460 |
|
|
arguments $a_i$ that are not strings are converted to string format, then the
|
1461 |
|
|
SHA1 hash is applied to the concatenation of the secret hash key $k_h$ and the
|
1462 |
|
|
arguments $a_i$ as described by the first few patterns below.
|
1463 |
|
|
|
1464 |
|
|
\begin{eqnarray}
|
1465 |
|
|
\nonumber
|
1466 |
|
|
SHF_1(a_1) & = & SHA1(k_h + a_1 + k_h) \\
|
1467 |
|
|
\label{eq:ctbg0:sddc0:sshf0:01}
|
1468 |
|
|
SHF_2(a_1, a_2) & = & SHA1(k_h + a_1 + k_h + a_2 + k_h) \\
|
1469 |
|
|
\nonumber
|
1470 |
|
|
SHF_3(a_1, a_2, a_3) & = & SHA1(k_h + a_1 + k_h + a_2 + k_h + a_3 + k_h)
|
1471 |
|
|
\end{eqnarray}
|
1472 |
|
|
|
1473 |
|
|
Note that the hash functions above are designed so that it should be
|
1474 |
|
|
impossible for an attacker to predict the hash that will be generated
|
1475 |
|
|
for a given set of input arguments $a_i$ unless the hash key $k_h$ has
|
1476 |
|
|
been compromised.
|
1477 |
|
|
|
1478 |
|
|
|
1479 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1480 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1481 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1482 |
|
|
\subsection{Storage of User Passwords}
|
1483 |
|
|
%Subection tag: sup0
|
1484 |
|
|
\label{ctbg0:sddc0:ssup0}
|
1485 |
|
|
|
1486 |
|
|
It is generally known that individuals tend to choose identical or similar
|
1487 |
|
|
passwords across many different computing applications. For that reason, it
|
1488 |
|
|
is important to safeguard the passwords used with
|
1489 |
|
|
\emph{\productbasename{}-\productversion{}}. Although
|
1490 |
|
|
\emph{\productbasename{}-\productversion{}} may be a relatively unimportant
|
1491 |
|
|
product to a user, the other software products with which the user is
|
1492 |
|
|
unwisely using the same password may be important.
|
1493 |
|
|
It is important to protect passwords.
|
1494 |
|
|
|
1495 |
|
|
Passwords are never stored in \emph{\productbasename{}-\productversion{}}.
|
1496 |
|
|
Instead, the $SHF1(\cdot{})$ of the password (as described in
|
1497 |
|
|
Eq. \ref{eq:ctbg0:sddc0:sshf0:01}) is stored.
|
1498 |
|
|
|
1499 |
|
|
It is possible, although extremely unlikely, that two non-identical
|
1500 |
|
|
passwords would have the same stored hash. Assuming that
|
1501 |
|
|
a typical user is comfortable using 62 characters (26 lower-case letters, 26 upper-case
|
1502 |
|
|
letters, and 10 digits) as part of a password, an approximation of how many
|
1503 |
|
|
password characters $n$ a 160-bit hash is equivalent to can be obtained by
|
1504 |
|
|
solving:
|
1505 |
|
|
|
1506 |
|
|
\begin{equation}
|
1507 |
|
|
62^n = 2^{160}
|
1508 |
|
|
\end{equation}
|
1509 |
|
|
|
1510 |
|
|
\begin{equation}
|
1511 |
|
|
n = \frac{160 \log 2}{\log 62} \approx 27
|
1512 |
|
|
\end{equation}
|
1513 |
|
|
|
1514 |
|
|
\noindent{}Thus, a hash collision involving two different typical passwords is
|
1515 |
|
|
\emph{very} unlikely.
|
1516 |
|
|
|
1517 |
|
|
If the stored password hash is compromised but the hash key is not, no attack
|
1518 |
|
|
is possible except brute-force password guessing (with no advantage gained
|
1519 |
|
|
due to compromise of the stored password hash).
|
1520 |
|
|
|
1521 |
|
|
If both the stored password hash and the hash key are compromised, the best
|
1522 |
|
|
attack possible is a dictionary attack. This may or may not be fruitful,
|
1523 |
|
|
depending on the strength of password chosen by the user.
|
1524 |
|
|
|
1525 |
|
|
|
1526 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1527 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1528 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1529 |
|
|
\subsection{Internal Representation of Time}
|
1530 |
|
|
%Subection tag: rti0
|
1531 |
|
|
\label{ctbg0:sddc0:srti0}
|
1532 |
|
|
|
1533 |
|
|
It is very common for a project to involve individuals from several
|
1534 |
|
|
countries. In this context, it is important to have no ambiguity
|
1535 |
|
|
about the values of time recorded in a database.
|
1536 |
|
|
|
1537 |
|
|
The following design decisions have been made:
|
1538 |
|
|
|
1539 |
|
|
\begin{itemize}
|
1540 |
|
|
\item All stored time values corresponding to events will
|
1541 |
|
|
be in \index{UTC}UTC.
|
1542 |
|
|
\item In many contexts, the stored time values will also
|
1543 |
|
|
be presented in local time. (However,
|
1544 |
|
|
presentation in local time alone is strongly discouraged---UTC should be the norm
|
1545 |
|
|
for collaboration.)
|
1546 |
|
|
\item The calendaring range for date functionality will be
|
1547 |
|
|
from 1900 through 2999.\footnote{This represents a
|
1548 |
|
|
span of approximately 34,713,000,000 seconds. Although this
|
1549 |
|
|
exceeds the range of a 32-bit representation, it comfortably
|
1550 |
|
|
fits in a 64-bit representation.}
|
1551 |
|
|
\end{itemize}
|
1552 |
|
|
|
1553 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1554 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1555 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1556 |
|
|
\section{\emph{PHP} Design Decisions and Discussion}
|
1557 |
|
|
%Section tag: php0
|
1558 |
|
|
\label{ctbg0:sphp0}
|
1559 |
|
|
|
1560 |
|
|
|
1561 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1562 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1563 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1564 |
|
|
\subsection{Native Integer Size}
|
1565 |
|
|
%Subsection tag: nis0
|
1566 |
|
|
\label{ctbg0:sphp0:snis0}
|
1567 |
|
|
|
1568 |
|
|
Prior to \emph{PHP} 5, \emph{PHP} integers were the same size as the native
|
1569 |
|
|
integer of the underlying machine. With some machines this is 32 bits, and with
|
1570 |
|
|
other machines this is 64 bits.
|
1571 |
|
|
|
1572 |
|
|
In the case of a 32-bit integer, the range of values that can be represented
|
1573 |
|
|
by an integer $x$ is
|
1574 |
|
|
|
1575 |
|
|
\begin{eqnarray}
|
1576 |
|
|
-(2^{31}) & \leq \; x \; \leq & 2^{31} - 1\\
|
1577 |
|
|
\nonumber -2,147,483,648 & \leq \; x \; \leq & 2,147,483,647 .
|
1578 |
|
|
\end{eqnarray}
|
1579 |
|
|
|
1580 |
|
|
It is necessary to ensure that 64-bit integer arithmetic is available from
|
1581 |
|
|
\emph{PHP} for the following reasons:
|
1582 |
|
|
|
1583 |
|
|
\begin{itemize}
|
1584 |
|
|
\item Certain of the database tables may exceed $2^{31}-1$ records or,
|
1585 |
|
|
due to addition and deletion of records, have key values that
|
1586 |
|
|
exceed $2^{31}-1$.
|
1587 |
|
|
\item The number of seconds since the Unix epoch will exceed $2^{31}-1$ seconds
|
1588 |
|
|
in 2037 A.D\@. \emph{\productbasename{}} must be able to perform
|
1589 |
|
|
date calculations further into the future than 2037 A.D., and so
|
1590 |
|
|
integers exceeding 32 bits in size would be convenient.
|
1591 |
|
|
\end{itemize}
|
1592 |
|
|
|
1593 |
|
|
To work around the limitations of 32-bit integers, the following strategy
|
1594 |
|
|
is used:
|
1595 |
|
|
|
1596 |
|
|
\begin{itemize}
|
1597 |
|
|
\item Integers that may exceed 32 bits are represented as strings rather than
|
1598 |
|
|
as integers, and \emph{PHP}'s \emph{bcmath} library is used to manipulate
|
1599 |
|
|
these strings.
|
1600 |
|
|
\item In issuing \emph{MySQL} statements that specify integers larger than 32 bits,
|
1601 |
|
|
no special action is required, as an SQL statement is ultimately only a string.
|
1602 |
|
|
However, when obtaining result sets from \emph{MySQL} that may involve
|
1603 |
|
|
integers larger than 32 bits, special SQL statements that cast the portions of
|
1604 |
|
|
the result set to a string are used.
|
1605 |
|
|
\end{itemize}
|
1606 |
|
|
|
1607 |
|
|
The strategy described above will work equally well with \emph{PHP} when
|
1608 |
|
|
64-bit integers are directly supported, but with slight inefficiency.
|
1609 |
|
|
|
1610 |
|
|
|
1611 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1612 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1613 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1614 |
|
|
\section{Web Interface Design Decisions and Discussion}
|
1615 |
|
|
%Section tag: wid0
|
1616 |
|
|
\label{ctbg0:swid0}
|
1617 |
|
|
|
1618 |
|
|
|
1619 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1620 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1621 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1622 |
|
|
\subsection{Client IP Address Modified During Session}
|
1623 |
|
|
%Subsection tag: ipa0
|
1624 |
|
|
\label{ctbg0:swid0:sipa0}
|
1625 |
|
|
|
1626 |
|
|
Newsgroup posters have identified that an IP address may shift during a
|
1627 |
|
|
session (due to DHCP lease lifetimes and so on). For this reason, an
|
1628 |
|
|
IP address that shifts during a session will result in a warning in the
|
1629 |
|
|
logs rather than termination of the session.\footnote{Termination of the
|
1630 |
|
|
session is a forced immediate logout.}
|
1631 |
|
|
|
1632 |
|
|
|
1633 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1634 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1635 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1636 |
|
|
\section{\emph{PHP}-Spawned Program Design Decisions and Discussion}
|
1637 |
|
|
%Section tag: phs0
|
1638 |
|
|
\label{ctbg0:sphs0}
|
1639 |
|
|
|
1640 |
|
|
|
1641 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1642 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1643 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1644 |
|
|
\section{\emph{cron}-Job Design Decisions and Discussion}
|
1645 |
|
|
%Section tag: cjd0
|
1646 |
|
|
\label{ctbg0:scjd0}
|
1647 |
|
|
|
1648 |
|
|
|
1649 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1650 |
|
|
\noindent\begin{figure}[!b]
|
1651 |
|
|
\noindent\rule[-0.25in]{\textwidth}{1pt}
|
1652 |
|
|
\begin{tiny}
|
1653 |
|
|
\begin{verbatim}
|
1654 |
|
|
$RCSfile: c_tbg0.tex,v $
|
1655 |
|
|
$Source: /home/dashley/cvsrep/e3ft_gpl01/e3ft_gpl01/webprojs/pamc/gen_a/docs/manual/man_a/c_tbg0/c_tbg0.tex,v $
|
1656 |
|
|
$Revision: 1.35 $
|
1657 |
|
|
$Author: dashley $
|
1658 |
|
|
$Date: 2009/11/01 02:42:55 $
|
1659 |
|
|
\end{verbatim}
|
1660 |
|
|
\end{tiny}
|
1661 |
|
|
\noindent\rule[0.25in]{\textwidth}{1pt}
|
1662 |
|
|
\end{figure}
|
1663 |
|
|
|
1664 |
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
1665 |
|
|
%$Log: c_tbg0.tex,v $
|
1666 |
|
|
%Revision 1.35 2009/11/01 02:42:55 dashley
|
1667 |
|
|
%Edits.
|
1668 |
|
|
%
|
1669 |
|
|
%Revision 1.34 2007/07/13 02:38:04 dashley
|
1670 |
|
|
%Edits.
|
1671 |
|
|
%
|
1672 |
|
|
%Revision 1.33 2007/07/13 01:19:57 dashley
|
1673 |
|
|
%Edits.
|
1674 |
|
|
%
|
1675 |
|
|
%Revision 1.32 2007/07/11 14:31:40 dashley
|
1676 |
|
|
%Edits.
|
1677 |
|
|
%
|
1678 |
|
|
%Revision 1.31 2007/07/07 23:12:54 dashley
|
1679 |
|
|
%Edits.
|
1680 |
|
|
%
|
1681 |
|
|
%Revision 1.30 2007/07/07 03:49:58 dashley
|
1682 |
|
|
%Edits.
|
1683 |
|
|
%
|
1684 |
|
|
%Revision 1.29 2007/07/07 03:31:53 dashley
|
1685 |
|
|
%Edits.
|
1686 |
|
|
%
|
1687 |
|
|
%Revision 1.28 2007/07/04 22:41:27 dashley
|
1688 |
|
|
%Edits.
|
1689 |
|
|
%
|
1690 |
|
|
%Revision 1.27 2007/07/04 05:09:24 dashley
|
1691 |
|
|
%Edits.
|
1692 |
|
|
%
|
1693 |
|
|
%Revision 1.26 2007/07/02 01:32:50 dashley
|
1694 |
|
|
%Edits.
|
1695 |
|
|
%
|
1696 |
|
|
%Revision 1.25 2007/07/01 03:07:14 dashley
|
1697 |
|
|
%Edits.
|
1698 |
|
|
%
|
1699 |
|
|
%Revision 1.24 2007/06/24 20:21:55 dashley
|
1700 |
|
|
%Edits.
|
1701 |
|
|
%
|
1702 |
|
|
%Revision 1.23 2007/06/24 16:35:48 dashley
|
1703 |
|
|
%Edits.
|
1704 |
|
|
%
|
1705 |
|
|
%Revision 1.22 2007/06/24 02:16:50 dashley
|
1706 |
|
|
%Edits.
|
1707 |
|
|
%
|
1708 |
|
|
%Revision 1.21 2007/06/24 00:42:20 dashley
|
1709 |
|
|
%Edits.
|
1710 |
|
|
%
|
1711 |
|
|
%Revision 1.20 2007/06/23 22:16:10 dashley
|
1712 |
|
|
%Safety checkin before graphics file renaming.
|
1713 |
|
|
%
|
1714 |
|
|
%Revision 1.19 2007/06/21 03:26:10 dashley
|
1715 |
|
|
%Edits.
|
1716 |
|
|
%
|
1717 |
|
|
%Revision 1.18 2007/06/21 03:21:32 dashley
|
1718 |
|
|
%Edits.
|
1719 |
|
|
%
|
1720 |
|
|
%Revision 1.17 2007/06/21 03:09:39 dashley
|
1721 |
|
|
%Edits.
|
1722 |
|
|
%
|
1723 |
|
|
%Revision 1.16 2007/06/14 01:59:36 dashley
|
1724 |
|
|
%Edits.
|
1725 |
|
|
%
|
1726 |
|
|
%Revision 1.15 2007/06/10 18:03:20 dashley
|
1727 |
|
|
%Edits.
|
1728 |
|
|
%
|
1729 |
|
|
%Revision 1.14 2007/06/10 16:04:12 dashley
|
1730 |
|
|
%Edits.
|
1731 |
|
|
%
|
1732 |
|
|
%Revision 1.13 2007/06/10 05:01:40 dashley
|
1733 |
|
|
%Edits.
|
1734 |
|
|
%
|
1735 |
|
|
%Revision 1.12 2007/06/10 03:42:30 dashley
|
1736 |
|
|
%Edits.
|
1737 |
|
|
%
|
1738 |
|
|
%Revision 1.11 2007/06/10 02:30:17 dashley
|
1739 |
|
|
%Initial checkin.phpstatic01.dsf
|
1740 |
|
|
%
|
1741 |
|
|
%Revision 1.10 2007/06/07 20:05:20 dashley
|
1742 |
|
|
%Edits.
|
1743 |
|
|
%
|
1744 |
|
|
%Revision 1.9 2007/06/07 05:03:20 dashley
|
1745 |
|
|
%Edits.
|
1746 |
|
|
%
|
1747 |
|
|
%Revision 1.8 2007/06/06 01:55:08 dashley
|
1748 |
|
|
%Multiply-defined label corrected.
|
1749 |
|
|
%
|
1750 |
|
|
%Revision 1.7 2007/06/06 00:32:07 dashley
|
1751 |
|
|
%Edits.
|
1752 |
|
|
%
|
1753 |
|
|
%Revision 1.6 2007/06/05 15:47:12 dashley
|
1754 |
|
|
%Structural edits.
|
1755 |
|
|
%
|
1756 |
|
|
%Revision 1.5 2007/06/05 00:39:55 dashley
|
1757 |
|
|
%Edits.
|
1758 |
|
|
%
|
1759 |
|
|
%Revision 1.4 2007/06/04 03:26:55 dashley
|
1760 |
|
|
%Edits.
|
1761 |
|
|
%
|
1762 |
|
|
%Revision 1.3 2007/06/03 23:15:27 dashley
|
1763 |
|
|
%Edits.
|
1764 |
|
|
%
|
1765 |
|
|
%Revision 1.2 2007/06/03 07:57:10 dashley
|
1766 |
|
|
%Edits.
|
1767 |
|
|
%
|
1768 |
|
|
%Revision 1.1 2007/06/03 07:16:08 dashley
|
1769 |
|
|
%Initial checkin.
|
1770 |
|
|
%
|
1771 |
|
|
%End of $RCSfile: c_tbg0.tex,v $.
|