Title: Security for Web Information Systems: Towards CompromiseResilient Architectures
1Security for Web Information SystemsTowards
Compromise-Resilient Architectures
- Burt Kaliski, RSA SecurityWeb Information
Systems Engineering (WISE) 2005November 21, 2005
2Introduction
- Security services play an important role in
assuring the reliability and integrity of any
information system - The dynamic, distributed nature of Web
Information Systems also introduces multiple
points of potential security compromise - Compromise resilience is as important as
compromise resistance
3Basic Model
Agent
Resource
Data
- Model
- Agents access Web information resources
- Resources provide services and process data
4Security Services
Agent
Resource
Data
Authentication Who are you? Authorization What
can you do? Data protection How is the data
secured?
5Authentication ApproachesWho are you?
Agent
Resource
Data
AuthenticationAuthority
- Agents, resources exchange claims of identity
- Authentication authority issues credentials,
helps validate claims
- Agents and resources have authentication
credentials associated with their identities
6Authorization ApproachesWhat can you do?
Agent
Resource
Data
AuthorizationAuthority
- Authorization authority supports policy
decisions - Resources enforce policy
7Data Protection ApproachesHow is the data
secured?
Agent
Resource
Data
KeyAuthority
- Stored data is encrypted
- Key authority manages keys
- -- which also need access control!
- Agents, resources exchange data through a
secure channel
8Typical Security Architecture
Agent
Resource
Data
AuthenticationAuthority
KeyAuthority
AuthorizationAuthority
- Authorities support agents, resources in
establishing security
9Potential Security Compromises
Agent
Resource
Attack
Attack
Attack
Data
AuthenticationAuthority
KeyAuthority
Attack
Attack
AuthorizationAuthority
Attack
- Compromises happen. Whats the impact?
- Replicated, mobile nature of system introduces
multiple points of compromise
10Authentication Compromises
Agent
Resource
Attack
Data
AuthenticationAuthority
KeyAuthority
AuthorizationAuthority
- Agent can be impersonated to resource
11Authentication Compromises
Agent
Resource
Attack
Data
AuthenticationAuthority
KeyAuthority
AuthorizationAuthority
- Resource can be impersonated to agent
12Authentication Compromises
Agent
Resource
Data
AuthenticationAuthority
KeyAuthority
Attack
AuthorizationAuthority
- Anyone can be impersonated!
- Attack the authority, and/or its administrators
13Authorization Compromises
Agent
Resource
Data
AuthenticationAuthority
KeyAuthority
AuthorizationAuthority
Attack
- Anyone can be authorized!
- Attack the authority, and/or its administrators
14Data Protection Compromises
Agent
Resource
Data
AuthenticationAuthority
KeyAuthority
Attack
AuthorizationAuthority
- Any key can be recovered!
- But data remains secure unless encrypted data
also compromised
15Data Protection Compromises
Agent
Resource
Attack
Data
AuthenticationAuthority
KeyAuthority
AuthorizationAuthority
- Any encrypted data can be recovered!
- But data remains secure unless keys also
compromised
16Compromise Resilience
Agent
Resource
Attack
Attack
Attack
Data
AuthenticationAuthority
KeyAuthority
Attack
Attack
AuthorizationAuthority
Attack
- How do you mitigate the risk?
- Resilience vs. resistance
17Authentication Compromise Resilience
Agent
Resource
Data
AuthenticationAuthority
HomeAgent
- Agents credentials should be short-lived and
context-specific - Home agent supports agent in obtaining them
- Resources credentials can be similarly
strengthened
18Authentication Compromise Resilience
Agent
Resource
Data
AuthenticationAuthority
HomeAgent
- Authentication authoritys credentials and
validation data should be short-lived - Master authority manages distribution of data
and credentials
MasterAuthenticationAuthority
19Authentication Compromise Resilience
Agent
Resource
Data
AuthenticationAuthority
HomeAgent
- Multi-administrator and multi-authority
approaches can also help
MasterAuthenticationAuthority
20Authorization Compromise Resilience
Agent
Resource
Data
AuthorizationAuthority
- Authorization authoritys credentials should be
short-lived - Multi-administrator or -authority also helps
MasterAuthorizationAuthority
21Data Protection Compromise Resilience
Agent
Resource
Data
KeyAuthority
KeyAuthority
KeyAuthority
KeyAuthority
- Secret sharing reduces impact of compromise of
one key authority - Trusted execution protects keys in field
22Data Protection Compromise Resilience
Agent
Resource
Data
KeyAuthority
KeyAuthority
KeyAuthority
KeyAuthority
- Proactive secret sharing maintains resilience
by updating shares periodically - Distributed cryptography uses keys in split form
23A Resilient Security ArchitectureAnticipating
compromise mitigates risk
Agent
Resource
Data
KeyAuthority
KeyAuthority
AuthenticationAuthority
KeyAuthority
AuthorizationAuthority
HomeAgent
MasterAuthenticationAuthority
MasterAuthorizationAuthority
24Observations
- Countermeasures such as short-lived,
context-specific credentials, secret sharing
limit impact of security compromises - The distributed nature of Web Information Systems
facilitates such countermeasures - New components easily introduced into
architecture - Web Information Systems can lead the industry in
compromise resilience
25Conclusion Two Questions
- What do you call an attacker who compromises a
Web Information System? - Answer a WISE-Cracker
- What do you call a Web Information System that is
resilient against such compromise? - Answer a Web Information System Engineered
with Resilience
WISER
26Contact Information
- Burt KaliskiChief Scientist, RSA LaboratoriesVP
Research, RSA Securitybkaliski_at_rsasecurity.comht
tp//www.rsasecurity.com/rsalabs
27About RSA Security
RSA Security is the expert in protecting
identities and digital assets. RSA Security
invented the core security technologies for the
Internet and continues to build on its 20 year
history of innovation. RSA Laboratories, a team
of 8 researchers and standards developers, is the
companys research center.
27
27