Ecommerce security models

1
E-commerce security models

• Enn Õunapuu
• Tallinn Technical University
• enn_at_cc.ttu.ee
• 372 050 97720

2
Basic Definitions

• Participant Any entity that plays some part in
  the scenarios. This is deliberately vague. No
  attempt is made to define entities or to
  characterize them. A participant might be a
  person, an institution, a computer, and a network
  or belong to some other category. Most obviously
  it includes the systems that exchange SOAP
  messages.
• SOAP Node Copied with modification from SOAP
  1.1 The embodiment of the processing logic
  necessary to transmit, receive, process and/or
  relay a SOAP message, according to the set of
  conventions defined by SOAP 1.1 or SOAP 1.2. A
  SOAP node is responsible for enforcing the rules
  that govern the exchange of SOAP messages.

3
Messages

• SOAP Message Copied from SOAP 1.2 The basic
  unit of communication between SOAP nodes.
• SOAP Layer The communication layer at which SOAP
  nodes reside.
• HTTP Message The basic unit of HTTP
  communication
• Transport Layer The communication layers below
  the SOAP layer.
• SSL/TLS The communication layer below HTTP where
  security concerns are addressed.
• HTTPS The combination of HTTP with SSL/TLS.

4
Peer Identification and Authentication

• Peer entity authentication The corroboration
  that a peer entity in an association is the one
  claimed. Identification An act or process that
  presents an identifier to a system so that the
  system can recognize a system entity and
  distinguish it from other entities.

5
Candidate technology

• HTTPS with X.509 server authentication
• HTTP client authentication (Basic or Digest)
• HTTPS with X.509 mutual authentication of
  server and user agent
• OASIS SOAP Message Security

6
Data Origin Identification and Authentication

• Data origin authentication The corroboration
  that the source of data received is as claimed.
  Identification An act or process that presents
  an identifier to a system so that the system can
  recognize a system entity and distinguish it from
  other entities.

7
Data Integrity

• Data integrity The property that data has not
  been changed, destroyed, or lost in an
• unauthorized or accidental manner

8
Threats
9
Threats continued
10
Threats continued
11
(No Transcript)
12
Designing an Authentication and Authorization
Strategy The following steps identify a process
that will help you develop an authentication and
authorization strategy for your application 1.
Identify resources 2. Choose an authorization
strategy 3. Choose the identities used for
resource access 4. Consider identity flow 5.
Choose an authentication approach 6. Decide how
to flow identity
13
Identify Resources Identify resources that your
application needs to expose to clients. Typical
resources include Web Server resources such as
Web pages, Web services, static resources (HTML
pages and images). Database resources such as
per-user data or application-wide data. Network
resources such as remote file system resources
and data from directory stores such as Active
Directory. You must also identify the system
resources that your application needs to
access. This is in contrast to resources that are
exposed to clients. Examples of system resources
include the registry, event logs, and
configuration files.
14
Choose an Authorization Strategy The two basic
authorization strategies are Role based. Access
to operations (typically methods) is secured
based on the role membership of the caller. Roles
are used to partition your applications user
base into sets of users that share the same
security privileges within the application for
example, Senior Managers, Managers and Employees
.Users are mapped to roles and if the user is
authorized to perform the requested operation,
the application uses fixed identities with which
to access resources. These identities are trusted
by the respective resource managers (for example,
databases, the file system, and so on).
15
Resource based. Individual resources are secured
using Windows ACLs. The application impersonates
the caller prior to accessing resources, which
allows the operating system to perform standard
access checks. All resource access is performed
using the original callers security context.
This impersonation approach severely impacts
application scalability, because it means that
connection pooling cannot be used effectively
within the applications middle tier.
16
Choose an Authentication Approach Two key factors
that influence the choice of authentication
approach are first and foremost the nature of
your applications user base (what types of
browsers are they using and do they have Windows
accounts), and secondly your applications
impersonation/delegation and auditing
requirements.
17
Decide How to Flow Identity You can flow identity
(to provide security context) at the application
level or you can flow identity and security
context at the operating system level. To flow
identity at the application level, use method and
stored procedure parameters. Application identity
flow supports Per-user data retrieval using
trusted query parameters SELECT x,y FROM
SomeTable WHERE username"bob" Custom auditing
within any application tier Operating system
identity flow supports Platform level auditing
(for example, Windows auditing and SQL Server
auditing) Per-user authorization based on
Windows identities
18
Secure communication
Secure communication provides the following two
features Privacy. Privacy is concerned with
ensuring that data remains private and
confidential, and cannot be viewed by
eavesdroppers who may be armed with network
monitoring software. Privacy is usually provided
by means of encryption. Integrity. Secure
communication channels must also ensure that data
is protected from accidental or deliberate
(malicious) modification while in transit.
Integrity is usually provided by using Message
Authentication Codes (MACs).
19
Secure Sockets Layer / Transport Layer Security
(SSL/TLS). This is most commonly used to secure
the channel between a browser and Web server.
However, it can also be used to secure Web
service messages and communications to and from a
database server running Microsoft SQL Server
2000. Internet Protocol Security (IPSec). IPSec
provides a transport level secure communication
solution and can be used to secure the data sent
between two computers for example, an
application server and a database server. Remote
Procedure Call (RPC) Encryption. The RPC protocol
used by Distributed COM (DCOM) provides an
authentication level (packet privacy) that
results in the encryption of every packet of data
sent between client and server.
20
(No Transcript)
21
Using SSL When you use SSL you should be aware of
the following When SSL is applied, the client
uses the HTTPS protocol (and specifies an
https// URL) and the server listens on TCP port
443. You should monitor your applications
performance when you enable SSL. SSL uses complex
cryptographic functions to encrypt and decrypt
data and as a result impacts the performance of
your application. The largest performance hit
occurs during the initial handshake, where
asymmetric public/private-key encryption is used.
Subsequently (after a secure session key is
generated and exchanged), faster, symmetric
encryption is used to encrypt application data.
You should optimize pages that use SSL by
including less text and simple graphics in those
pages.
22
(No Transcript)
23
Web Service Security Model Web service security
can be applied at three levels
Platform/transport level (point-to-point)
security Application level (custom) security
Message level (end-to-end) security
24
(No Transcript)
25
Application Level Security With this approach,
the application takes over security and uses
custom security features. For example An
application can use a custom SOAP header to pass
user credentials to authenticate the user with
each Web service request. A common approach is to
pass a ticket (or user name or license) in the
SOAP header. The application has the flexibility
to generate its own IPrincipal object that
contains roles. This might be a custom class or
the GenericPrincipal class provided by the .NET
Framework. The application can selectively
encrypt what it needs to, although this requires
secure key storage and developers must have
knowledge of the relevant cryptography APIs.
26
(No Transcript)
27
References

• OASIS http//www.oasis-open.org/committees/tc_home
  .php?wg_abbrevwss
• WS-I http//ws-i.org/Profiles/BasicSecurity/2004-
  02/SecurityScenarios-0.15-WGD.pdf

28

• Thank You!!!