Trust in E- and M-Business Advances Through IT-Security SACIS Conference 2002 Istanbul, March 19-20
Contents <ul><li>Trust Services in Business </li></ul><ul><li>E-Business </li></ul><ul><li>Digital Authentication Services...
Trust, a Fundamental Principle of Business <ul><li>In course of business transactions, various parties interact across mul...
Authorization, a Basic Trust Service <ul><li>Authorization  provides the capability to determine entitlement. </li></ul><u...
Non-Repudiation, a Basic Trust Service <ul><li>Non-repudiation  provides the capability of resolving disputes between inte...
Authentication, a Prerequisite for Authorization and Non-Repudiation <ul><li>Authentication  provides confidence that enti...
New Frontiers: Digital Business Processes <ul><li>E- and M-Business is about the digital representation of business proces...
Example: Why Traditional Authentication Fails in Digital Business <ul><li>Information-age challenges: </li></ul><ul><li>De...
Digital Authentication Techniques <ul><li>PINs, passwords Are easy to implement but inherit significant risks of compromis...
Cryptographic Authentication Protocols Public key certificate Entity ID Public key Infrastructure Application Entity Goal ...
Advantages of Public Key-Based Schemes <ul><li>Support of non-repudiation Symmetric schemes do not support the unambiguous...
A Public Key Authentication Technique: Digital Signatures <ul><li>Realized via public key cryptography: </li></ul><ul><ul>...
Transient vs. Persistent Authentication <ul><li>Transient authentication </li></ul><ul><ul><li>Capability to synchronously...
Attention: Digital Signatures Provide Authentication, Not Non-Repudiation <ul><li>Digital signatures are the best-current-...
Non-Repudiation vs. Authentication Signed docs Authentication framework <ul><li>Authentication through digital signatures ...
Current State-of-Affairs in Non-Repudiation <ul><li>Non-repudiation services on base of digital signatures require the est...
Authorization Services <ul><li>Facilitate the protection of IT-resources against unauthorized accesses by determining whet...
Authorization in the Web Environment: Common Architecture PSTN IP network PSTN Intranet Home, hotel ,... Office Mobile ......
Authorization in the Web Environment: Current Practices <ul><li>Client authentication mechanisms: </li></ul><ul><ul><li>Sh...
Authorization in the Web Environment: Shortcomings and Technology Initiatives <ul><li>Shortcomings: </li></ul><ul><ul><li>...
Conclusions <ul><li>Today’s E-Business trust paradigm seems to be: we trust…nothing will go wrong </li></ul><ul><li>Get fo...
Abbreviations <ul><li>CMS Cryptographic Message Syntax </li></ul><ul><li>HTML HyperText Markup Language </li></ul><ul><li>...
References and Further Reading <ul><li>Cryptography : Menezes, A.J.; van Oorschot, P.C.; Vanstone, S.A.: Handbook of Appli...
Author Information <ul><li>Dr. Oliver Pfaff </li></ul><ul><li>Siemens AG </li></ul><ul><li>Information and Communication N...
Upcoming SlideShare
Loading in...5
×

Trust in E- and M-Business - Advances Through IT-Security

586

Published on

SACIS Conference 2002. Istanbul, Turkey


E- and M-Business are mega-trends that create new business opportunities and provide potentials to optimize existing processes. These prominent notions stand for the digital representation of business processes.
Organizations that implement such electronic business processes want to enable ubiquitous access to their services for suppliers, partners, and customers. To achieve this goal, public network infrastructure, e.g. the Internet and wireless networks, are integrated.
Business is based on the principle of trust. Trust services such as authentication, authorization, non-repudiation, and privacy are well established in traditional business. The implementation of digitalized business processes over public network infrastructure requires to adequately transform such trust services into the digital world.
This presentation examines IT-security technologies to achieve digital trust services that are required for E-/M-Business.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
586
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Trust in E- and M-Business - Advances Through IT-Security

  1. 1. Trust in E- and M-Business Advances Through IT-Security SACIS Conference 2002 Istanbul, March 19-20
  2. 2. Contents <ul><li>Trust Services in Business </li></ul><ul><li>E-Business </li></ul><ul><li>Digital Authentication Services </li></ul><ul><li>Digital Non-Repudiation Services </li></ul><ul><li>Digital Authorization Services </li></ul><ul><li>Conclusions </li></ul>
  3. 3. Trust, a Fundamental Principle of Business <ul><li>In course of business transactions, various parties interact across multiple processing steps. </li></ul><ul><li>Interacting entities are interested in: </li></ul><ul><ul><li>Being certain that peers are entitled to execute their operations and services. </li></ul></ul><ul><ul><li>Preventing peers from denying previous actions or commitments. </li></ul></ul><ul><ul><li>Being able to resolve disputes that may emerge. </li></ul></ul>A basic transaction pattern in business: For Sale Payment Delivery Offer Accept- ance Trust refers to the property that entities behave as agreed, committed, or instructed.
  4. 4. Authorization, a Basic Trust Service <ul><li>Authorization provides the capability to determine entitlement. </li></ul><ul><li>Authorization requires the granting of rights from an appropriate authority. </li></ul><ul><li>Authorization services depend on the community of application. Their establishment may be </li></ul><ul><ul><li>informally (e.g. distributing meeting minutes) or </li></ul></ul><ul><ul><li>formally (e.g. establishing business contracts). </li></ul></ul>Authorization is a fundamental practice in business.
  5. 5. Non-Repudiation, a Basic Trust Service <ul><li>Non-repudiation provides the capability of resolving disputes between interacting entities. </li></ul><ul><li>Non-repudiation requires to specify an adjudication process to render judgments on disputes. </li></ul><ul><li>Non-repudiation services depend on the community of application. Their establishment may be </li></ul><ul><ul><li>informally (e.g. meeting minutes) or </li></ul></ul><ul><ul><li>formally (e.g. business contracts). </li></ul></ul>Non-repudiation is a fundamental practice in business.
  6. 6. Authentication, a Prerequisite for Authorization and Non-Repudiation <ul><li>Authentication provides confidence that entities (e.g. persons, equipment, or documents) are actually those they are claimed to be. </li></ul><ul><li>Authentication requires to present the claimed identity and to prove its validity. </li></ul><ul><li>Authentication services depend on the community of application. Their establishment may be </li></ul><ul><ul><li>informally (e.g. social introduction) or </li></ul></ul><ul><ul><li>formally (e.g. registration with authorities). </li></ul></ul>© The New Yorker Collection 1993 Peter Steiner from cartoonlink.com. All rights reserved. “ On the Internet, nobody knows you’re a dog.” Authorization and non-repudiation depend on authentication.
  7. 7. New Frontiers: Digital Business Processes <ul><li>E- and M-Business is about the digital representation of business processes. </li></ul><ul><li>Digitalization opens new dimensions in transforming, automating, and interconnecting business processes. </li></ul><ul><li>Business process owners implement multiple distribution channels to supply services to their customers. </li></ul><ul><li>Public networks and corresponding terminals enable ubiquitous service access. </li></ul>Retail Call-Center Kiosk Web WAP ... Digital business requires digital trust services.
  8. 8. Example: Why Traditional Authentication Fails in Digital Business <ul><li>Information-age challenges: </li></ul><ul><li>Dematerialization changes the representation of information: ‘from molecules to bits’ </li></ul><ul><li>Global networks allow to address new groups of customers: ‘from face-to-face to Internet business’ </li></ul><ul><li>Traditional authentication techniques such as handwritten signatures do not meet the automated processing requirements of the Internet era. </li></ul><ul><li>Risks of keeping traditional authentication techniques: </li></ul><ul><ul><li>Loss of optimization </li></ul></ul><ul><ul><li>Loss of security </li></ul></ul><HTML> <FONT FACE=„Courier&quot; SIZE=12> <P><BR>Travel Expenses:</P> ... <P><BR>Signed:</P> ... </HTML> Travel Expenses Flight:1.000 EUR Hotel: 500 EUR Total: 1.500 EUR Signed: Chief
  9. 9. Digital Authentication Techniques <ul><li>PINs, passwords Are easy to implement but inherit significant risks of compromise. In particular when utilized to authenticate users against network services. </li></ul><ul><li>Biometrics Use immutable characteristics to authenticate human beings. Do not authenticate IT-systems or electronic documents. Utilization to authenticate users against foreign systems can not be recommended. </li></ul><ul><li>Cryptographic authentication protocols Can be employed to authenticate humans, IT-systems, or electronic documents. Particularly suitable for authentication in IT-networks. Are being investigated in the following. </li></ul>
  10. 10. Cryptographic Authentication Protocols Public key certificate Entity ID Public key Infrastructure Application Entity Goal Private key Security token Cryptographic protocol <ul><li>Public key authentication </li></ul><ul><ul><li>Asymmetric keys are shared between participants. </li></ul></ul><ul><ul><li>Key distribution requires authenticity. </li></ul></ul><ul><ul><li>Third parties achieve linear key establishment complexity. </li></ul></ul><ul><ul><li>E.g.: SSL/TLS entity authentication </li></ul></ul><ul><li>Shared secret authentication </li></ul><ul><ul><li>Symmetric keys are shared between participants. </li></ul></ul><ul><ul><li>Key distribution requires secrecy and authenticity. </li></ul></ul><ul><ul><li>Third parties achieve linear key establishment complexity. </li></ul></ul><ul><ul><li>E.g.: HTTP digest authentication </li></ul></ul>Entity ID Secret key Cryptographic protocol Infrastructure Application Entity Goal Secret key Security token Secret-key credentials
  11. 11. Advantages of Public Key-Based Schemes <ul><li>Support of non-repudiation Symmetric schemes do not support the unambiguous identification of message originators. </li></ul><ul><li>Sharing of objects representing ‘entity ID and key’ bindings Symmetric schemes require secrecy: </li></ul><ul><ul><li>Authentication protocol credentials can typically not be shared. </li></ul></ul><ul><ul><li>This leads to closed authentication realms and subsequent problems such as the desire for single-sign-on. </li></ul></ul><ul><ul><li>No generic infrastructure technology for life-cycle management of initial ‘entity ID and key’-bindings emerged in secret key authentication. </li></ul></ul><ul><li>Functional trust in key distribution parties is sufficient Symmetric schemes require unconditional trust in third parties. </li></ul>
  12. 12. A Public Key Authentication Technique: Digital Signatures <ul><li>Realized via public key cryptography: </li></ul><ul><ul><li>Signatures are created by private key operations. Signing binds documents to originating entities. </li></ul></ul><ul><ul><li>Signatures are validated by public key operations. </li></ul></ul><ul><li>Provide marks that authenticate electronic documents persistently. These marks are: </li></ul><ul><ul><li>Uniquely linked to the signer </li></ul></ul><ul><ul><li>Capable of identifying the signer </li></ul></ul><ul><ul><li>Created through means under the sole control of the signer </li></ul></ul><ul><ul><li>Linked to document content so that changes after signing are detectable. </li></ul></ul>Signing party Private key Doc Sign Relying parties Doc Sign Sign OK? Public key
  13. 13. Transient vs. Persistent Authentication <ul><li>Transient authentication </li></ul><ul><ul><li>Capability to synchronously determine authentication. </li></ul></ul><ul><ul><li>Foundation for authorization services. </li></ul></ul><ul><ul><li>E.g.: Entity authentication via IPSec/IKE, SSL/TLS </li></ul></ul><ul><li>Persistent authentication </li></ul><ul><ul><li>Capability to asynchronously, long-term determine authentication. </li></ul></ul><ul><ul><li>Foundation for authorization and non-repudiation services. </li></ul></ul><ul><ul><li>E.g.: Document authentication PKCS#7/CMS SignedData , XML Signature </li></ul></ul>Sender Recipient Create authentication information alidation alidation alidation Synchronous Asynchronous Time Time Asynchronous
  14. 14. Attention: Digital Signatures Provide Authentication, Not Non-Repudiation <ul><li>Digital signatures are the best-current-practice authentication technology for electronic documents providing </li></ul><ul><ul><li>persistent authentication of document contents and </li></ul></ul><ul><ul><li>persistent authentication of document origin. </li></ul></ul><ul><li>Non-repudiation depends on persistent authentication. But it requires a framework of agreements exceeding document authentication. Non-repudiation policies have to deal with: </li></ul><ul><ul><li>Agreement Establishment of agreed dispute settling rules. </li></ul></ul><ul><ul><li>Arbitration Dispute settling according to rules established before. </li></ul></ul><ul><ul><li>Intent Proof that participants intended to perform binding transactions. </li></ul></ul><ul><ul><li>Understanding Participants have to understand the implications of their actions. This includes an understanding of the technical solution and its constraints. </li></ul></ul>
  15. 15. Non-Repudiation vs. Authentication Signed docs Authentication framework <ul><li>Authentication through digital signatures IT-systems exchange signed messages to establish document authentication. </li></ul>Business transactions via signed documents Non-repudiation framework <ul><li>Non-repudiation on base of digital signatures Individual and legal entities exchange signed documents within a non-repudiation policy framework to established binding agreements. </li></ul>
  16. 16. Current State-of-Affairs in Non-Repudiation <ul><li>Non-repudiation services on base of digital signatures require the establishment of a security policy framework. It has to refer to the participant community and relevance of the exchanged documents. </li></ul><ul><li>Non-repudiation policies may be established through digital signature laws or ‘freedom of contract’ approaches. </li></ul><ul><li>Currently, the E-Business market is reluctant to realize non-repudiation services on base of digital signatures. Recognized barriers: </li></ul><ul><ul><li>Infrastructure availability (PKI and security token) </li></ul></ul><ul><ul><li>Signature-awareness of business processes </li></ul></ul><ul><ul><li>Interoperability (at various levels) </li></ul></ul><ul><ul><li>User education </li></ul></ul><ul><ul><li>Legal issues </li></ul></ul><ul><ul><li>No clear understanding of the appropriate ‘price’ for the feature of persistent document authentication and the ability to defend repudiation. </li></ul></ul>
  17. 17. Authorization Services <ul><li>Facilitate the protection of IT-resources against unauthorized accesses by determining whether access requests are to be granted. </li></ul><ul><li>Depend on transient or persistent authentication. </li></ul><ul><li>Enforce security policies that define authorizations on base of subjects, resources, and types of requested access. </li></ul>Requestor Resources Repository (policy data) Policy decision Policy administration Policy enforcement
  18. 18. Authorization in the Web Environment: Common Architecture PSTN IP network PSTN Intranet Home, hotel ,... Office Mobile ... Target services Clients Internet connectivity External networks Internal networks Policy enforcement point Policy decision point Repository Policy administration point
  19. 19. Authorization in the Web Environment: Current Practices <ul><li>Client authentication mechanisms: </li></ul><ul><ul><li>Shared secret-based authentication: </li></ul></ul><ul><ul><ul><li>HTML form fields (passwords transferred as plaintext) </li></ul></ul></ul><ul><ul><ul><li>HTTP cookies (prohibited as authentication mechanism by RFC 2964) </li></ul></ul></ul><ul><ul><ul><li>HTTP Digest authentication (passwords transferred in digested form) </li></ul></ul></ul><ul><ul><ul><li>HTTP Basic authentication (passwords transferred in Base64 encoding) </li></ul></ul></ul><ul><ul><li>Public key-based authentication: May be realized through SSL/TLS (transient authentication) and/or application-layer signing (persistent authentication). </li></ul></ul><ul><ul><li>Despite its advantages, public key-based client authentication is significantly less common than shared secret-based schemes. </li></ul></ul><ul><li>Backend integration: Policy enforcement points intercept and inspect resource requests to perform access control on behalf of target servers. </li></ul><ul><li>Repository systems: </li></ul><ul><ul><li>Data base systems (e.g. RDBMS) </li></ul></ul><ul><ul><li>LDAP-based directories </li></ul></ul>
  20. 20. Authorization in the Web Environment: Shortcomings and Technology Initiatives <ul><li>Shortcomings: </li></ul><ul><ul><li>Substandard client authentication practices. </li></ul></ul><ul><ul><li>Proprietary authorization and entitlement systems. </li></ul></ul><ul><ul><li>Support of cross trust domain exchange of authorization information. </li></ul></ul><ul><ul><li>Target servers are authorization service unaware. </li></ul></ul><ul><li>Technology initiatives: </li></ul><ul><ul><li>Attribute certificates X.509-based objects to bind descriptive data items to identifiers of subjects or public key certificates. X.509 attribute certificates </li></ul></ul><ul><ul><ul><li>express properties regarding attributes </li></ul></ul></ul><ul><ul><ul><li>are issued by an attribute certificate authority. </li></ul></ul></ul><ul><ul><li>SAML – Security Assertion Markup Language XML-based language for exchanging authentication and authorization information between trust domains. SAML assertions </li></ul></ul><ul><ul><ul><li>express properties regarding attributes, authentication, or authorization </li></ul></ul></ul><ul><ul><ul><li>are issued by a SAML authority </li></ul></ul></ul><ul><ul><ul><li>can be digitally signed. </li></ul></ul></ul>
  21. 21. Conclusions <ul><li>Today’s E-Business trust paradigm seems to be: we trust…nothing will go wrong </li></ul><ul><li>Get focused: infrastructure follows applications </li></ul><ul><li>Trust services for E-Business are of supreme IT-strategy relevance </li></ul><ul><li>State-of-the-art regarding trust services in E-Business: </li></ul><ul><ul><li>Authentication Shared secret-based approaches are commonplace; public key-based client or document authentication schemes are rarely deployed. </li></ul></ul><ul><ul><li>Non-repudiation Literally unsolved as of today. </li></ul></ul><ul><ul><li>Authorization Monolithic, proprietary authorization and entitlement systems are common. Cross trust domain authorization is hard. </li></ul></ul>Even if E-Business owners feel they do not have to rush into realizations (and there are some good reasons), it is their duty to analyze the impact of trust services for their business. Otherwise they are deciding to do a random walk. Most of the past discussions have been too infrastructure-centric.
  22. 22. Abbreviations <ul><li>CMS Cryptographic Message Syntax </li></ul><ul><li>HTML HyperText Markup Language </li></ul><ul><li>HTTP HyperText Transfer Protocol </li></ul><ul><li>ID Identifier </li></ul><ul><li>IKE Internet Key Exchange </li></ul><ul><li>IP Internet Protocol </li></ul><ul><li>IPSec IP Security </li></ul><ul><li>IT Information Technology </li></ul><ul><li>LDAP Lightweight Directory Access Protocol </li></ul><ul><li>PIN Personal Identification Number </li></ul><ul><li>PKCS Public Key Cryptography Standards </li></ul><ul><li>PKI Public Key Infrastructure </li></ul><ul><li>PKIX PKI-X.509 </li></ul><ul><li>PSTN Public Switched Telephony Network </li></ul><ul><li>RDBMS Relational Data Base Management System </li></ul><ul><li>RFC Request For Comments </li></ul><ul><li>SAML Security Assertion Markup Language </li></ul><ul><li>SSL Secure Sockets Layer </li></ul><ul><li>TLS Transport Layer Security </li></ul><ul><li>WAP Wireless Application Protocol </li></ul><ul><li>XML eXtensible Markup Language </li></ul><ul><li>XMLDSig XML Digital Signatures </li></ul>
  23. 23. References and Further Reading <ul><li>Cryptography : Menezes, A.J.; van Oorschot, P.C.; Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press 1997 </li></ul><ul><li>Internet Law and Policy Forum : http://www.ilpf.org </li></ul><ul><li>Personal Trusted Devices : http://www.mobiletransaction.org </li></ul><ul><li>PKCS: http://www.rsasecurity.com/rsalabs/pkcs </li></ul><ul><li>PKI : Adams, C.; Lloyd, S.: Understanding Public-Key Infrastructure. MacMillan Technical Publishing 1999 </li></ul><ul><li>Secure E-Commerce : Ford, W.; Baum, M.S.: Secure Electronic Commerce (Second Edition). Prentice Hall 2001 </li></ul><ul><li>XML Signature : http://www.w3.org/Signature </li></ul><ul><li>XML Trust Services : http://www.oasis-open.org </li></ul>
  24. 24. Author Information <ul><li>Dr. Oliver Pfaff </li></ul><ul><li>Siemens AG </li></ul><ul><li>Information and Communication Networks </li></ul><ul><li>Charles-De-Gaulle-Str. 2 </li></ul><ul><li>D-81730 Munich </li></ul><ul><li>E-Mail: oliver.pfaff@icn.siemens.de </li></ul><ul><li>Telephone: +49.89.722.53227 </li></ul><ul><li>Mobile: +49.172.8250805 </li></ul>

×