1/26/98 - 1 PKI and IntraVerse

PKI for Electronic Commerce

DASCOM

3004 Mission Street

Santa Cruz, CA 95060 USA

+1-408-460-3600

1/26/98 - 2 PKI and IntraVerse

Agenda

• Motivation for PKI

• How PKI (and DCE) can provide– Authentication

– Authorization

– Single sign-on

• Case Studies– IntraVerse and Electronic Commerce

– IntraVerse and Kiosks

1/26/98 - 3 PKI and IntraVerse

Internet Era Challenges

Corporate Data· Corporate Financial Data· Personnel information· Marketing Information

StrategicCustomers

Employees

CasualCustomers

BusinessPartners

Tight coupling between you andyour partners andstrategic customers

1/26/98 - 4 PKI and IntraVerse

Internet Business Success

• Depends on a PKI solution that provides:– Security for legacy clients and modern browser-

based clients

– Single sign-on via the Web

– Extranets and mobile VPNs

• PKI must coexist with:– Highly available, secure web clusters

• Multiple applications across multiple systems

• Web servers are the mid-tier of the Internet

1/26/98 - 5 PKI and IntraVerse

Security Requirements

Corporate DataAccess Tools:· Browsers· Light-weight Clients

Users require:· Ease of use· Ease of access· Flexibility· Ubiquity· Openness· Security

· Authentication· Authorization· Data Integrity· Data Privacy· Auditing

SecurityInfrastructure

1/26/98 - 6 PKI and IntraVerse

Intranet Infrastructure

UserRegistries(multiple)

UserRegistries(multiple)

Security&

Policy

Security&

Policy

Web Content&

Applications

Web Content&

Applications

AvailabilityScalability

Performance

AvailabilityScalability

Performance

Audit &

Logging

Audit &

Logging

Admin&

Management

Admin&

Management

Web Servers&

Proxies

Web Servers&

Proxies

PKI Must Support Intranet Infrastructure

1/26/98 - 7 PKI and IntraVerse

• Access viaproprietary client.

• No (Limited) Webaccess

• Large number ofusers, but difficultdeployment

• Mission Critical

Database Server Application

Database ProprietaryClient

Legacy BusinessApplications

1/26/98 - 8 PKI and IntraVerse

Large Scale Web Infrastructure forBusiness Applications

• Application integrated withWeb via mid-tier gateway.

• Web access from browser tomid-tier gateway.

• Application-specific securityenforced by database server

• Enables Network Centric ITInfrastructure

• HTTP services as importantas telephone dial tone .

Database /Application andWeb IntegrationWeb Browser

Database Server Application

Web Mid-Tier Gateway· Oracle WebListener

· Forte WebSDK· NeXT WebObjects

· Lotus Domino

IntraVerseWebSEALNetSEAL

PKMS

1/26/98 - 9 PKI and IntraVerse

Database Server Application

Database ProprietaryClient

Multiple Paths to Application

Web Server

Browser

WebSEALNetSEAT

NetSEAL

You may have two paths, but you want one:•Authorization service•Authentication service

1/26/98 - 10 PKI and IntraVerse

Single Sign-on to the Web

• Sign-on to Web servers via Basic Authentication,Digest Authentication, and X.509/SSL

• Sign-on to applications via authenticated CGIvariables

Mid-Tier Server

Browser

Web Server

AuthenticatedIdentity passed

via CGI toBusiness App

Gateway

Mid-Tier Apps

WebSEAL

Web Server Web Server

BasicAuth

DigestAuth

X5.09SSL

1/26/98 - 11 PKI and IntraVerse

Extranets and VPNs• Bring in new partners and customers

– Security external to internal networks

– Rapidly deployed, rapidly removed

Browser

WebSEAL

Web Server

WebSEAL

SecuredWeb Content

and Apps

Browser

Firewall

Web Server

Web Server

SecuredWeb Content

and AppsBrowser

Firewall

Firewall

WebSEAL

Internet

1/26/98 - 12 PKI and IntraVerse

High Availability Requirements

• Management of servers– SNMP for network management console

– Caching of information across servers

• Management of security across replicatedservers– Session versus single transaction applications

– Unified access control management

• Move single point of failure towards client

1/26/98 - 13 PKI and IntraVerse

• Front-end Proxy Server:– authentication and access

control.

– Scaleable, unified Web space.

• Replica front-end ProxyServers for high availability.

• Mirrored back-end serversprovide high availability:– Back-end load balancing.

– Back-end fault tolerance.

• Remote access from:– Unauthenticated client.

– Authenticated client with SSL.SSL-Enabled

Browser InternetBrowser

WebSEAL ServerPrimary

WebSEAL ServerReplicaWebSEAL Server

Primary

Apache Server Netscape Server

MirroredNetscape Servers

MirroredApache Servers

1/26/98 - 14 PKI and IntraVerse

Apache Server Netscape Server

Firewall

WebSEAL Server

PrimaryWebSEAL Server

• Add replica front-endProxy Server (mirroredresources).

• Fault tolerant front-endpreserves:– High availability during

server failure.

– Unified Web space.

• Web site gains:– Front-end load balancing.

– Fault tolerance.

– High availability.

– Scalability.

ReplicaWebSEAL Server

1/26/98 - 15 PKI and IntraVerse

Authentication andAuthorization

• Three components:– User identity

• Authenticate using public-key technology

• Static user identity

– User’s credentials• Groups and roles based on authenticated identity

• Under real-time central control– Context sensitive

– Dynamic

– Authorization policy based on credentials

1/26/98 - 16 PKI and IntraVerse

Policy Management

TemplateDefinition

Template Attachment

Policy

Secured Web(WebSEAL)

Secured Legacy(NetSEAL)

GenericApplication

AuthorizationAPI

1/26/98 - 17 PKI and IntraVerse

PKMS SSL V2 Login

1. Client authenticates viadce_login over SSL

2. PKMS Logs in user andgets DCE credentials (PAC)

3. NetSEAL uses credentials (PAC)for access control

IntraVerse(DCE)

SecurityServer

NetSEAL/WebSEALwith PKMS

support

Back--endserver

application

Clientapplication

thatsupports

SSL

1/26/98 - 18 PKI and IntraVerse

PKMS SSL V3 Authentication

2. Client and PKMSuse X.509

over SSL V3.

1. NetSEAL downloadslocal CA and CRL info

5. NetSEAL uses credentialsfor access control

IntraVerseConfig &SecurityServers

NetSEAL/WebSEALwith PKMS support

Back--end serverapplication

Clientapplication

thatsupportsSSL V3

CACRL

Service(accessedvia CDSA)

3.NetSEAL"accepts

Cert"

4. NetSEAL obtainsCredentials

1/26/98 - 19 PKI and IntraVerse

Authenticated ID Broker

User

Security ServerSecurity Server

Back-end Application

Server

Use onemethod toAuthenticate

Obtain applicationspecific account info

NetSEALNetSEAL

Pass credentials toapplication

1/26/98 - 20 PKI and IntraVerse

Authorization Service

• Based on DCE ACLs

• Replicated database shared across allprotected services– Tightly coupled with the authorization service

• Independent of the method used forauthorization

• Extensible– Integrate legacy authorization services

1/26/98 - 21 PKI and IntraVerse

IntraVerse ACL Bits• ACLs Control

– Users ability to accessprotected objects

– Administrators ability to• Set ACLs on other

objects

• Manage servers

• Manage users

– IntraVerse NetSEAL /WebSEAL servers abilityto delegates user’scredentials

• ACLs are context specific

ACL Templates

• Allows you to– Create and modify the ACLs on an object

– Determine where ACLs are used

1/26/98 - 23 PKI and IntraVerse

Named ACLS

• Use “Named ACLs” to create a template of an ACL

• Drag and Drop template onto the protected objects youwant to protect.

1/26/98 - 24 PKI and IntraVerse

Future Extensions

SSL-enabled

client

IntraVerseServer

TKTGrantingService

Registry(LDAP,ODBC)

MasterAuthorization

PolicyDatabase(LDAP)

LocalAuthorization

DB

Management Console

AuthenticateA

cces

sC

rede

ntia

ls

Manage Policy

AccessCredentials

CDSA PKI

Cert Processing

1/26/98 - 25 PKI and IntraVerse

Case Studies

• Electronic Commerce– Large-scale, highly-available, secure point-of-

presence on the Internet

– Internet distribution of business applications

– Single sign-on and access controls

• Kiosks– Publicly available secure transactions

– Geographic distribution of customized content

1/26/98 - 26 PKI and IntraVerse

Electronic Commerce

1/26/98 - 27 PKI and IntraVerse

10,000-100,000 users

10-100 ServersPKMS-WebSEAL

10-100 ServersArt Gallery, ImageBank,

PrintShop, etc.

PKMS-SSL-NAT

PKMS-SSL-NAT

Browser

Browser

Browser

Browser

Browser

PKMS-WebSEAL

PKMS-WebSEAL

PKMS-WebSEAL

Print Shop Server

Shop Servers

Image Bank Servers

Art Gallery Servers

1-10 ServersPKMS-SSL-NAT

Canon Architecture

1/26/98 - 28 PKI and IntraVerse

Browser

1000-10,000 users

2 ServersPKMS-WebSEAL

2 ServersArt Gallery

PKMS-SSL-NAT

PKMS-WebSEAL

PKMS-WebSEAL

Art Gallery Server

Art Gallery Server

SSL-NATcolocated on

WebSEAL Server

DB ServerPIX Firewall

Browser

Browser

Browser

Phase 1 Deployment

1/26/98 - 29 PKI and IntraVerse

New World Telephone Kiosks

MKContent

Signoff & Submitto Content DB

with DistributionTime Stamp

MultimediaKiosks

Distribute toKiosks

Multiple Times

Asset

Insert intoAsset DB

Generate Submission Reqemail to Project Mgr

Project MgrReview

Preview

MKSP POP

Signoff & Submitto Content Authority

Content ProviderProduce RawMedia Asset

1/26/98 - 30 PKI and IntraVerse

Power Phone

Middle Tier Server

Power Phone

Power Phone

Sponsor Power PhoneNetwork

Power Phone Power Phone

Transaction Gateways

Content Server

Data Centre

Sponsor Power PhoneNetwork

Credit Bureau/Bank

Commit Server

Content QualityAssurance

Frame Relay/MAN

Frame Relay/MAN

Leased Lines

Leased Lines/Internet

Advertiser's Exported Web Space

Web AuthoringWorkstation

Middle TierCache

ContentSubmission

Advertiser's Intranet

The Power Phone System