pki for electronic commerce · policy security & policy web content & applications web...
TRANSCRIPT
1/26/98 - 1 PKI and IntraVerse
PKI for Electronic Commerce
DASCOM
3004 Mission Street
Santa Cruz, CA 95060 USA
+1-408-460-3600
1/26/98 - 2 PKI and IntraVerse
Agenda
• Motivation for PKI
• How PKI (and DCE) can provide– Authentication
– Authorization
– Single sign-on
• Case Studies– IntraVerse and Electronic Commerce
– IntraVerse and Kiosks
1/26/98 - 3 PKI and IntraVerse
Internet Era Challenges
Corporate Data· Corporate Financial Data· Personnel information· Marketing Information
StrategicCustomers
Employees
CasualCustomers
BusinessPartners
Tight coupling between you andyour partners andstrategic customers
1/26/98 - 4 PKI and IntraVerse
Internet Business Success
• Depends on a PKI solution that provides:– Security for legacy clients and modern browser-
based clients
– Single sign-on via the Web
– Extranets and mobile VPNs
• PKI must coexist with:– Highly available, secure web clusters
• Multiple applications across multiple systems
• Web servers are the mid-tier of the Internet
1/26/98 - 5 PKI and IntraVerse
Security Requirements
Corporate DataAccess Tools:· Browsers· Light-weight Clients
Users require:· Ease of use· Ease of access· Flexibility· Ubiquity· Openness· Security
· Authentication· Authorization· Data Integrity· Data Privacy· Auditing
SecurityInfrastructure
1/26/98 - 6 PKI and IntraVerse
Intranet Infrastructure
UserRegistries(multiple)
UserRegistries(multiple)
Security&
Policy
Security&
Policy
Web Content&
Applications
Web Content&
Applications
AvailabilityScalability
Performance
AvailabilityScalability
Performance
Audit &
Logging
Audit &
Logging
Admin&
Management
Admin&
Management
Web Servers&
Proxies
Web Servers&
Proxies
PKI Must Support Intranet Infrastructure
1/26/98 - 7 PKI and IntraVerse
• Access viaproprietary client.
• No (Limited) Webaccess
• Large number ofusers, but difficultdeployment
• Mission Critical
Database Server Application
Database ProprietaryClient
Legacy BusinessApplications
1/26/98 - 8 PKI and IntraVerse
Large Scale Web Infrastructure forBusiness Applications
• Application integrated withWeb via mid-tier gateway.
• Web access from browser tomid-tier gateway.
• Application-specific securityenforced by database server
• Enables Network Centric ITInfrastructure
• HTTP services as importantas telephone dial tone .
Database /Application andWeb IntegrationWeb Browser
Database Server Application
Web Mid-Tier Gateway· Oracle WebListener
· Forte WebSDK· NeXT WebObjects
· Lotus Domino
IntraVerseWebSEALNetSEAL
PKMS
1/26/98 - 9 PKI and IntraVerse
Database Server Application
Database ProprietaryClient
Multiple Paths to Application
Web Server
Browser
WebSEALNetSEAT
NetSEAL
You may have two paths, but you want one:•Authorization service•Authentication service
1/26/98 - 10 PKI and IntraVerse
Single Sign-on to the Web
• Sign-on to Web servers via Basic Authentication,Digest Authentication, and X.509/SSL
• Sign-on to applications via authenticated CGIvariables
Mid-Tier Server
Browser
Web Server
AuthenticatedIdentity passed
via CGI toBusiness App
Gateway
Mid-Tier Apps
WebSEAL
Web Server Web Server
BasicAuth
DigestAuth
X5.09SSL
1/26/98 - 11 PKI and IntraVerse
Extranets and VPNs• Bring in new partners and customers
– Security external to internal networks
– Rapidly deployed, rapidly removed
Browser
WebSEAL
Web Server
WebSEAL
SecuredWeb Content
and Apps
Browser
Firewall
Web Server
Web Server
SecuredWeb Content
and AppsBrowser
Firewall
Firewall
WebSEAL
Internet
1/26/98 - 12 PKI and IntraVerse
High Availability Requirements
• Management of servers– SNMP for network management console
– Caching of information across servers
• Management of security across replicatedservers– Session versus single transaction applications
– Unified access control management
• Move single point of failure towards client
1/26/98 - 13 PKI and IntraVerse
• Front-end Proxy Server:– authentication and access
control.
– Scaleable, unified Web space.
• Replica front-end ProxyServers for high availability.
• Mirrored back-end serversprovide high availability:– Back-end load balancing.
– Back-end fault tolerance.
• Remote access from:– Unauthenticated client.
– Authenticated client with SSL.SSL-Enabled
Browser InternetBrowser
WebSEAL ServerPrimary
WebSEAL ServerReplicaWebSEAL Server
Primary
Apache Server Netscape Server
MirroredNetscape Servers
MirroredApache Servers
1/26/98 - 14 PKI and IntraVerse
Apache Server Netscape Server
Firewall
WebSEAL Server
PrimaryWebSEAL Server
• Add replica front-endProxy Server (mirroredresources).
• Fault tolerant front-endpreserves:– High availability during
server failure.
– Unified Web space.
• Web site gains:– Front-end load balancing.
– Fault tolerance.
– High availability.
– Scalability.
ReplicaWebSEAL Server
1/26/98 - 15 PKI and IntraVerse
Authentication andAuthorization
• Three components:– User identity
• Authenticate using public-key technology
• Static user identity
– User’s credentials• Groups and roles based on authenticated identity
• Under real-time central control– Context sensitive
– Dynamic
– Authorization policy based on credentials
1/26/98 - 16 PKI and IntraVerse
Policy Management
TemplateDefinition
Template Attachment
Policy
Secured Web(WebSEAL)
Secured Legacy(NetSEAL)
GenericApplication
AuthorizationAPI
1/26/98 - 17 PKI and IntraVerse
PKMS SSL V2 Login
1. Client authenticates viadce_login over SSL
2. PKMS Logs in user andgets DCE credentials (PAC)
3. NetSEAL uses credentials (PAC)for access control
IntraVerse(DCE)
SecurityServer
NetSEAL/WebSEALwith PKMS
support
Back--endserver
application
Clientapplication
thatsupports
SSL
1/26/98 - 18 PKI and IntraVerse
PKMS SSL V3 Authentication
2. Client and PKMSuse X.509
over SSL V3.
1. NetSEAL downloadslocal CA and CRL info
5. NetSEAL uses credentialsfor access control
IntraVerseConfig &SecurityServers
NetSEAL/WebSEALwith PKMS support
Back--end serverapplication
Clientapplication
thatsupportsSSL V3
CACRL
Service(accessedvia CDSA)
3.NetSEAL"accepts
Cert"
4. NetSEAL obtainsCredentials
1/26/98 - 19 PKI and IntraVerse
Authenticated ID Broker
User
Security ServerSecurity Server
Back-end Application
Server
Use onemethod toAuthenticate
Obtain applicationspecific account info
NetSEALNetSEAL
Pass credentials toapplication
1/26/98 - 20 PKI and IntraVerse
Authorization Service
• Based on DCE ACLs
• Replicated database shared across allprotected services– Tightly coupled with the authorization service
• Independent of the method used forauthorization
• Extensible– Integrate legacy authorization services
1/26/98 - 21 PKI and IntraVerse
IntraVerse ACL Bits• ACLs Control
– Users ability to accessprotected objects
– Administrators ability to• Set ACLs on other
objects
• Manage servers
• Manage users
– IntraVerse NetSEAL /WebSEAL servers abilityto delegates user’scredentials
• ACLs are context specific
ACL Templates
• Allows you to– Create and modify the ACLs on an object
– Determine where ACLs are used
1/26/98 - 23 PKI and IntraVerse
Named ACLS
• Use “Named ACLs” to create a template of an ACL
• Drag and Drop template onto the protected objects youwant to protect.
1/26/98 - 24 PKI and IntraVerse
Future Extensions
SSL-enabled
client
IntraVerseServer
TKTGrantingService
Registry(LDAP,ODBC)
MasterAuthorization
PolicyDatabase(LDAP)
LocalAuthorization
DB
Management Console
AuthenticateA
cces
sC
rede
ntia
ls
Manage Policy
AccessCredentials
CDSA PKI
Cert Processing
1/26/98 - 25 PKI and IntraVerse
Case Studies
• Electronic Commerce– Large-scale, highly-available, secure point-of-
presence on the Internet
– Internet distribution of business applications
– Single sign-on and access controls
• Kiosks– Publicly available secure transactions
– Geographic distribution of customized content
1/26/98 - 26 PKI and IntraVerse
Electronic Commerce
1/26/98 - 27 PKI and IntraVerse
10,000-100,000 users
10-100 ServersPKMS-WebSEAL
10-100 ServersArt Gallery, ImageBank,
PrintShop, etc.
PKMS-SSL-NAT
PKMS-SSL-NAT
Browser
Browser
Browser
Browser
Browser
PKMS-WebSEAL
PKMS-WebSEAL
PKMS-WebSEAL
Print Shop Server
Shop Servers
Image Bank Servers
Art Gallery Servers
1-10 ServersPKMS-SSL-NAT
Canon Architecture
1/26/98 - 28 PKI and IntraVerse
Browser
1000-10,000 users
2 ServersPKMS-WebSEAL
2 ServersArt Gallery
PKMS-SSL-NAT
PKMS-WebSEAL
PKMS-WebSEAL
Art Gallery Server
Art Gallery Server
SSL-NATcolocated on
WebSEAL Server
DB ServerPIX Firewall
Browser
Browser
Browser
Phase 1 Deployment
1/26/98 - 29 PKI and IntraVerse
New World Telephone Kiosks
MKContent
Signoff & Submitto Content DB
with DistributionTime Stamp
MultimediaKiosks
Distribute toKiosks
Multiple Times
Asset
Insert intoAsset DB
Generate Submission Reqemail to Project Mgr
Project MgrReview
Preview
MKSP POP
Signoff & Submitto Content Authority
Content ProviderProduce RawMedia Asset
1/26/98 - 30 PKI and IntraVerse
Power Phone
Middle Tier Server
Power Phone
Power Phone
Sponsor Power PhoneNetwork
Power Phone Power Phone
Transaction Gateways
Content Server
Data Centre
Sponsor Power PhoneNetwork
Credit Bureau/Bank
Commit Server
Content QualityAssurance
Frame Relay/MAN
Frame Relay/MAN
Leased Lines
Leased Lines/Internet
Advertiser's Exported Web Space
Web AuthoringWorkstation
Middle TierCache
ContentSubmission
Advertiser's Intranet
The Power Phone System