Your SlideShare is downloading. ×
Security technology, the latest
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Security technology, the latest

603
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
603
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Security technology, the latest & greatest(?) March 23, 2004 Alan Harbitter, Ph.D. CTO, PEC Solutions, Inc. [email_address]
    • Security issues in a service-oriented architecture
    • GJXDM 3.0 security metadata
    • Underlying need for PKI
  • 2. Service Oriented Architecture—Whut tha? Internal Network Sheriff’s database Hey, What do you know about this guy who was arrested? Hey, What do you know about this guy who was tried? Court database
  • 3. Service Oriented Architecture—Whut tha? Internet or Intranet Sheriff’s database Court database SOAP/XML over HTTP
    • Registry of Services
    • ---
    • ---
    I have info you might be interested in! So do I! UDDI WSDL UDDI WSDL
  • 4. Security Demands for the SOA
    • Confidentiality: Protect specific fields and documents in XML
    • Integrity: Information is valid and undisturbed
    • Availability: Critical services remain up and running
    • Authentication: Know who you’re talking to on a enterprise-wide basis
  • 5. What’s Available and Why It’s Lacking
    • SSL
      • Indiscriminately covers an entire session and on a user to server basis
    • Digital Signature
      • Good but relies on interoperable PKIs
    • Dumb Firewalls
      • Only looks at the network level and misses the threat
    • UserID/Password
      • Still the most common way to get access
      • No enterprise wide standardization
      • No accommodation for role based access control
      • Lightweight security
  • 6. What We Need
    • Fine grained encryption in web services
    • Enterprise standards for digital credentials—a law enforcement standard for digital credentials
    • “Application aware” firewalls
    • Cooperation among PKI owner-operators
    • Mature standards and tools for developers
    • Peace on Earth
  • 7. Standards-based approaches: SAML
    • OASIS standard based on XML
    • Includes assertions for
      • Authentication (e.g., I authenticated thru RISS or ARJIS, …)
      • Attributes (e.g. I’m a member of ATIX)
      • Authorization
    • Extensible
    • Incorporates XML digital signature standards
    • It’s pretty new (version 1.1 is under consideration)
    Source: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML), OASIS Standard, 5 November 2002
  • 8. Security in GJXDM 3.0
  • 9. “ New” Role for Public Key Infrastructure (PKI)
  • 10. PKI: A Complex mixtures of people, process, and computers Certification Authority Registration Authority End User Key Exchange Enrollment (bind people to digital certificates) Key, CRL Requests Directory Updates Certification Authority Facility Directory Revocation
  • 11. “You’re all going to need PKI” SAML Assertions WS Security XML message [s01] <Signature Id=&quot;MyFirstSignature&quot; xmlns=&quot;http://www.w3.org/2000/09/xmldsig#&quot;> [s02] <SignedInfo> [s03] <CanonicalizationMethod Algorithm=&quot;http://www.w3.org/TR/2001/REC-xml-c14n-20010315&quot;/> [s04] <SignatureMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#dsa-sha1&quot;/> [s05] <Reference URI=&quot;http://www.w3.org/TR/2000/REC-xhtml1-20000126/&quot;> [s06] <Transforms> [s07] <Transform Algorithm=&quot;http://www.w3.org/TR/2001/REC-xml-c14n-20010315&quot;/> [s08] </Transforms> [s09] <DigestMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/> [s10] <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> [s11] </Reference> [s12] </SignedInfo> [s13] <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> [s14] <KeyInfo> [s15a] <KeyValue> [s15b] <DSAKeyValue> [s15c] <P>...</P><Q>...</Q><G>...</G><Y>...</Y> [s15d] </DSAKeyValue> [s15e] </KeyValue> [s16] </KeyInfo> [s17] </Signature> “ Trustable” signatures needed here and here
  • 12. Summary and Closing Remarks
    • If there’s one thing that’s secure, it’s my job
      • Increased emphasis on sharing complicates security
      • Assurance level is still not measurable
    • Security tools and standards are emerging, but struggling to keep up
      • Fear not, there are ways to implement good security solutions
    • PKI: Now, more than ever
    • References: http://www.ijis.org/library/reports/infosec4ijis3-19-02.pdf