Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security technology, the latest

760 views

Published on

  • Be the first to comment

  • Be the first to like this

Security technology, the latest

  1. 1. Security technology, the latest & greatest(?) March 23, 2004 Alan Harbitter, Ph.D. CTO, PEC Solutions, Inc. [email_address] <ul><li>Security issues in a service-oriented architecture </li></ul><ul><li>GJXDM 3.0 security metadata </li></ul><ul><li>Underlying need for PKI </li></ul>
  2. 2. Service Oriented Architecture—Whut tha? Internal Network Sheriff’s database Hey, What do you know about this guy who was arrested? Hey, What do you know about this guy who was tried? Court database
  3. 3. Service Oriented Architecture—Whut tha? Internet or Intranet Sheriff’s database Court database SOAP/XML over HTTP <ul><li>Registry of Services </li></ul><ul><li>--- </li></ul><ul><li>--- </li></ul>I have info you might be interested in! So do I! UDDI WSDL UDDI WSDL
  4. 4. Security Demands for the SOA <ul><li>Confidentiality: Protect specific fields and documents in XML </li></ul><ul><li>Integrity: Information is valid and undisturbed </li></ul><ul><li>Availability: Critical services remain up and running </li></ul><ul><li>Authentication: Know who you’re talking to on a enterprise-wide basis </li></ul>
  5. 5. What’s Available and Why It’s Lacking <ul><li>SSL </li></ul><ul><ul><li>Indiscriminately covers an entire session and on a user to server basis </li></ul></ul><ul><li>Digital Signature </li></ul><ul><ul><li>Good but relies on interoperable PKIs </li></ul></ul><ul><li>Dumb Firewalls </li></ul><ul><ul><li>Only looks at the network level and misses the threat </li></ul></ul><ul><li>UserID/Password </li></ul><ul><ul><li>Still the most common way to get access </li></ul></ul><ul><ul><li>No enterprise wide standardization </li></ul></ul><ul><ul><li>No accommodation for role based access control </li></ul></ul><ul><ul><li>Lightweight security </li></ul></ul>
  6. 6. What We Need <ul><li>Fine grained encryption in web services </li></ul><ul><li>Enterprise standards for digital credentials—a law enforcement standard for digital credentials </li></ul><ul><li>“Application aware” firewalls </li></ul><ul><li>Cooperation among PKI owner-operators </li></ul><ul><li>Mature standards and tools for developers </li></ul><ul><li>Peace on Earth </li></ul>
  7. 7. Standards-based approaches: SAML <ul><li>OASIS standard based on XML </li></ul><ul><li>Includes assertions for </li></ul><ul><ul><li>Authentication (e.g., I authenticated thru RISS or ARJIS, …) </li></ul></ul><ul><ul><li>Attributes (e.g. I’m a member of ATIX) </li></ul></ul><ul><ul><li>Authorization </li></ul></ul><ul><li>Extensible </li></ul><ul><li>Incorporates XML digital signature standards </li></ul><ul><li>It’s pretty new (version 1.1 is under consideration) </li></ul>Source: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML), OASIS Standard, 5 November 2002
  8. 8. Security in GJXDM 3.0
  9. 9. “ New” Role for Public Key Infrastructure (PKI)
  10. 10. PKI: A Complex mixtures of people, process, and computers Certification Authority Registration Authority End User Key Exchange Enrollment (bind people to digital certificates) Key, CRL Requests Directory Updates Certification Authority Facility Directory Revocation
  11. 11. “You’re all going to need PKI” SAML Assertions WS Security XML message [s01] <Signature Id=&quot;MyFirstSignature&quot; xmlns=&quot;http://www.w3.org/2000/09/xmldsig#&quot;> [s02] <SignedInfo> [s03] <CanonicalizationMethod Algorithm=&quot;http://www.w3.org/TR/2001/REC-xml-c14n-20010315&quot;/> [s04] <SignatureMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#dsa-sha1&quot;/> [s05] <Reference URI=&quot;http://www.w3.org/TR/2000/REC-xhtml1-20000126/&quot;> [s06] <Transforms> [s07] <Transform Algorithm=&quot;http://www.w3.org/TR/2001/REC-xml-c14n-20010315&quot;/> [s08] </Transforms> [s09] <DigestMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/> [s10] <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> [s11] </Reference> [s12] </SignedInfo> [s13] <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> [s14] <KeyInfo> [s15a] <KeyValue> [s15b] <DSAKeyValue> [s15c] <P>...</P><Q>...</Q><G>...</G><Y>...</Y> [s15d] </DSAKeyValue> [s15e] </KeyValue> [s16] </KeyInfo> [s17] </Signature> “ Trustable” signatures needed here and here
  12. 12. Summary and Closing Remarks <ul><li>If there’s one thing that’s secure, it’s my job </li></ul><ul><ul><li>Increased emphasis on sharing complicates security </li></ul></ul><ul><ul><li>Assurance level is still not measurable </li></ul></ul><ul><li>Security tools and standards are emerging, but struggling to keep up </li></ul><ul><ul><li>Fear not, there are ways to implement good security solutions </li></ul></ul><ul><li>PKI: Now, more than ever </li></ul><ul><li>References: http://www.ijis.org/library/reports/infosec4ijis3-19-02.pdf </li></ul>

×