PKI for Electronic Commerce DASCOM 3004 Mission Street Santa Cruz, CA 95060 USA +1-408-460-3600 1/26/98-1 PKI and IntraVerse
Agenda Motivation for PKI How PKI (and DCE) can provide Authentication Authorization Single sign-on Case Studies IntraVerse and Electronic Commerce IntraVerse and Kiosks 1/26/98-2 PKI and IntraVerse
Internet Era Challenges Employees Strategic Customers Corporate Data Corporate Financial Data Personnel information Marketing Information Tight coupling between you and your partners and strategic customers Casual Customers Business Partners 1/26/98-3 PKI and IntraVerse
Internet Business Success Depends on a PKI solution that provides: Security for legacy clients and modern browserbased clients Single sign-on via the Web Extranets and mobile VPNs PKI must coexist with: Highly available, secure web clusters Multiple applications across multiple systems Web servers are the mid-tier of the Internet 1/26/98-4 PKI and IntraVerse
Security Requirements Users require: Ease of use Ease of access Flexibility Ubiquity Openness Security Security Infrastructure Access Tools: Browsers Light-weight Clients Authentication Authorization Data Integrity Data Privacy Auditing Corporate Data 1/26/98-5 PKI and IntraVerse
PKI Must Support Intranet Infrastructure Security & Policy Web Servers & Proxies User Registries (multiple) Web Content & Applications Intranet Infrastructure Admin & Management Audit & Logging Availability Scalability Performance 1/26/98-6 PKI and IntraVerse
Database Proprietary Client Legacy Business Applications Access via proprietary client. No (Limited) Web access Large number of users, but difficult deployment Mission Critical Database Server Application 1/26/98-7 PKI and IntraVerse
Web Browser Large Scale Web Infrastructure for Business Applications IntraVerse WebSEAL NetSEAL PKMS Web Mid-Tier Gateway Oracle WebListener Forte WebSDK NeXT WebObjects Lotus Domino Database Server Application 1/26/98-8 PKI and IntraVerse Database /Application and Web Integration Application integrated with Web via mid-tier gateway. Web access from browser to mid-tier gateway. Application-specific security enforced by database server Enables Network Centric IT Infrastructure HTTP services as important as telephone dial tone.
Multiple Paths to Application Database Proprietary Client NetSEAT Browser WebSEAL NetSEAL Web Server Database Server Application 1/26/98-9 PKI and IntraVerse You may have two paths, but you want one: Authorization service Authentication service
Single Sign-on to the Web Browser WebSEAL Basic Auth Digest Auth X5.09 SSL Authenticated Identity passed via CGI to Business App Gateway Mid-Tier Apps Mid-Tier Server Web Server Web Server Web Server Sign-on to Web servers via Basic Authentication, Digest Authentication, and X.509/SSL Sign-on to applications via authenticated CGI variables 1/26/98-10 PKI and IntraVerse
Extranets and VPNs Bring in new partners and customers Security external to internal networks Rapidly deployed, rapidly removed Secured Web Content and Apps Browser Browser Web Server Web Server Firewall WebSEAL Internet Firewall WebSEAL WebSEAL Browser Firewall Web Server Secured Web Content and Apps 1/26/98-11 PKI and IntraVerse
High Availability Requirements Management of servers SNMP for network management console Caching of information across servers Management of security across replicated servers Session versus single transaction applications Unified access control management Move single point of failure towards client 1/26/98-12 PKI and IntraVerse
SSL-Enabled Browser Internet Browser Remote access from: Unauthenticated client. Authenticated client with SSL. WebSEAL Server WebSEAL Server Primary WebSEAL Server Replica Primary Front-end Proxy Server: authentication and access control. Scaleable, unified Web space. Apache Server Netscape Server Replica front-end Proxy Servers for high availability. Mirrored back-end servers provide high availability: Back-end load balancing. Back-end fault tolerance. Mirrored Apache Servers Mirrored Netscape Servers 1/26/98-13 PKI and IntraVerse
Primary WebSEAL Server WebSEAL Server Replica WebSEAL Server Firewall Add replica front-end Proxy Server (mirrored resources). Web site gains: Front-end load balancing. Fault tolerance. High availability. Scalability. Apache Server Netscape Server Fault tolerant front-end preserves: High availability during server failure. Unified Web space. 1/26/98-14 PKI and IntraVerse
Authentication and Authorization Three components: User identity Authenticate using public-key technology Static user identity User s credentials Groups and roles based on authenticated identity Under real-time central control Context sensitive Dynamic Authorization policy based on credentials 1/26/98-15 PKI and IntraVerse
Policy Management Template Definition Secured Web (WebSEAL) Template Attachment Policy Authorization API Secured Legacy (NetSEAL) Generic Application 1/26/98-16 PKI and IntraVerse
PKMS SSL V2 Login Client application that supports SSL IntraVerse (DCE) Security Server 2. PKMS Logs in user and gets DCE credentials (PAC) 1. Client authenticates via dce_login over SSL NetSEAL/ WebSEAL with PKMS support 3. NetSEAL uses credentials (PAC) for access control Back--end server application 1/26/98-17 PKI and IntraVerse
PKMS SSL V3 Authentication IntraVerse Config & Security Servers CA CRL Service (accessed via CDSA) 4. NetSEAL obtains Credentials Client application that supports SSL V3 1. NetSEAL downloads local CA and CRL info 2. Client and PKMS use X.509 over SSL V3. NetSEAL/WebSEAL with PKMS support 5. NetSEAL uses credentials for access control Back--end server application 3. NetSEAL "accepts Cert" 1/26/98-18 PKI and IntraVerse
Authenticated ID Broker Security Server Server User Use one method to Authenticate Obtain application specific account info NetSEAL Pass credentials to application Back-end Application Server 1/26/98-19 PKI and IntraVerse
Authorization Service Based on DCE ACLs Replicated database shared across all protected services Tightly coupled with the authorization service Independent of the method used for authorization Extensible Integrate legacy authorization services 1/26/98-20 PKI and IntraVerse
IntraVerse ACL Bits ACLs Control Users ability to access protected objects Administrators ability to Set ACLs on other objects Manage servers Manage users IntraVerse NetSEAL / WebSEAL servers ability to delegates user s credentials ACLs are context specific 1/26/98-21 PKI and IntraVerse
ACL Templates Allows you to Create and modify the ACLs on an object Determine where ACLs are used
Named ACLS Use Named ACLs to create a template of an ACL Drag and Drop template onto the protected objects you want to protect. 1/26/98-23 PKI and IntraVerse
Future Extensions Management Console Registry (LDAP, ODBC) Access Credentials Manage Policy TKT Granting Service Master Authorization Policy Database (LDAP) SSLenabled client Authenticate Access Credentials IntraVerse Server Local Authorization DB Cert Processing CDSA PKI 1/26/98-24 PKI and IntraVerse
Case Studies Electronic Commerce Large-scale, highly-available, secure point-ofpresence on the Internet Internet distribution of business applications Single sign-on and access controls Kiosks Publicly available secure transactions Geographic distribution of customized content 1/26/98-25 PKI and IntraVerse
Electronic Commerce 1/26/98-26 PKI and IntraVerse
Canon Architecture Browser Art Gallery Servers PKMS-WebSEAL Browser Shop Servers PKMS-SSL-NAT Browser PKMS-WebSEAL PKMS-SSL-NAT Image Bank Servers Browser 1-10 Servers PKMS-SSL-NAT PKMS-WebSEAL Browser 10,000-100,000 users 10-100 Servers PKMS-WebSEAL Print Shop Server 10-100 Servers Art Gallery, ImageBank, PrintShop, etc. 1/26/98-27 PKI and IntraVerse
Browser Phase 1 Deployment Art Gallery Server PKMS-WebSEAL Browser PIX Firewall PKMS-SSL-NAT DB Server Browser SSL-NAT colocated on WebSEAL Server PKMS-WebSEAL Browser 2 Servers PKMS-WebSEAL Art Gallery Server 2 Servers Art Gallery 1000-10,000 users 1/26/98-28 PKI and IntraVerse
New World Telephone Kiosks Content Provider Produce Raw Media Asset Preview Signoff & Submit to Content Authority MKSP POP Insert into Asset DB Generate Submission Req email to Project Mgr Project Mgr Review Asset Signoff & Submit to Content DB with Distribution Time Stamp Multiple Times Distribute to Kiosks MK Content Multimedia Kiosks 1/26/98-29 PKI and IntraVerse
The Power Phone System Data Centre Middle Tier Cache Content Quality Assurance Content Submission Power Phone Commit Server Power Phone Content Server Frame Relay/MAN Web Authoring Workstation Advertiser's Exported Web Space Middle Tier Server Power Phone Transaction Gateways Leased Lines/Internet Frame Relay/MAN Leased Lines Advertiser's Intranet Sponsor Power Phone Network Power Phone Power Phone Credit Bureau/Bank Sponsor Power Phone Network 1/26/98-30 PKI and IntraVerse