+ All Categories
Home > Documents > Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253...

Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253...

Date post: 15-Jan-2016
Category:
Upload: lawrence-nichols
View: 216 times
Download: 0 times
Share this document with a friend
25
Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting Brandenberg Consulting +1 408 246 8253 +1 408 246 8253 [email protected] [email protected] b b b b
Transcript
Page 1: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

Securing Transactions: Protocols and Politics

Securing Transactions: Protocols and Politics

D. Crocker Brandenberg ConsultingBrandenberg Consulting

+1 408 246 8253+1 408 246 [email protected]@brandenburg.com

D. Crocker Brandenberg ConsultingBrandenberg Consulting

+1 408 246 8253+1 408 246 [email protected]@brandenburg.com

bbbbbb

bb

Page 2: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bb Brandenburg ConsultingBrandenburg Consulting Product & service / planning & design Technical

Large-scale systems Internet & interoperability Operations Security Protocols (email, transport, commerce)

Internet development since 1972 Chair, Silicon Valley - Public Access Link

Page 3: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbSecure transactionsSecure transactions

Doing business on the Internet Object- vs. Transport- security Payment protocols Standards work

Page 4: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbInternet for commerce?Internet for commerce?

Strong pressures emerging Businesses now online Reduced access costs Global “reach”

Page 5: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbA global InternetA global Internet

Scaling A chicken in every pot!

Security Military vs. commercial vs. personal

Management Interconnection interoperability Sometimes always

Page 6: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbStyles of useStyles of use

Receiver pull Interactive sessions Individual, foreground refinement

Sender push Messaging Bulk, background distribution

(Mark Smith, Intel)(Mark Smith, Intel)

Page 7: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbTo be on the InternetTo be on the Internet

FullFull (core)(core) Permanent, visible,

native

DirectDirect (consumer)(consumer) Native

ClientClient User runs Internet

applications

MediatedMediated Provider runs

applications for user

MessagingMessaging Surprisingly useful

Page 8: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbWhat is business?What is business?

R&D Search, browse Test Coordinate

Support Discuss Info push

Marketing Targeted info push Survey

Sales Negotiate Order, bill, payOrder, bill, pay Deliver

Page 9: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bb Where to put functions?Where to put functions? Core vs. edges

Place it in the core• Can’t be used until all of the

pieces between users adopt it Place it at the edges

• Useful as soon as adopted by two, consenting hosts

Page 10: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bb Where to put security...Where to put security...

My objectMy objectMy objectMy objectObjectObject TransportTransport

SecureSecure

My objectMy objectMy objectMy object

FTPFTPEMailEMail

Web Web

SecureSecure

My objectMy objectMy objectMy objectSecureSecure

My objectMy objectMy objectMy object

EMailEMail

My objectMy objectMy objectMy objectMy objectMy objectMy objectMy object

Web Security

Web ServerWeb ServerWeb ServerWeb Server

Web ServerWeb ServerWeb ServerWeb Server

MTAMTAMTAMTA

MTAMTAMTAMTA

EMail Security

Page 11: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbTransport security Transport security

IPSEC IP-level labelingKerberos (MIT) Third-party serviceS-KEY (Bellcore) Pairwise loginS-HTTP (EIT) Negotiate specifical

object wrapper securitySSL (Netscape) Client-server transport

linkSTT (Microsoft) (TBD)

Page 12: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbObject security Object security

MOSS (was: PEM) MIME Object Security Service - IETF RSA + DES Global, formal key certification hierarchy

PGP Pretty Good Privacy - Phil Zimmerman RSA + IDEA Informal, personal, direct certification

S/MIME Secure MIME - RSA & Consortium

Page 13: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbBasic algorithmsBasic algorithms

MsgMsgMsgMsg MsgMsgMsgMsg

MsgMsgMsgMsg

MsgHashMsgHash++ ++ ŸŸ++KeyKeyPRIV-ORIGPRIV-ORIGKeyKeyPRIV-ORIGPRIV-ORIG

DigitalDigitalSignatuSignaturere

DigitalDigitalSignatuSignaturere

++KeyKeyDATADATA++KeyKeyDATADATAŸŸEncryptEncryptDataDataEncryptEncryptDataData

MsgHashMsgHash

+ + KeyKeyDATADATA+ + KeyKeyDATADATA+ KeyKeyPUB-RECIPPUB-RECIP KeyKeyPUB-RECIPPUB-RECIP

Integrity Authentication (sign)

Privacy (seal)

ŸŸŸŸEncryptEncryptKeyKeyEncryptEncryptKeyKey

When do you need each? ...not always!When do you need each? ...not always!

Page 14: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbEDI over InternetEDI over Internet

Multiple EDI transports already

Internet is one more

EDI/MIME, proposed standard Regular EDI objects, encapsulated in

MIME Use MIME-based security

Page 15: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbPayment system model Payment system model

BuyerBuyer

MerchantMerchant

Issuing Bank

Acquiring Bank

ClearingHouse

16+416+4

(M. Rose, FV ) (M. Rose, FV )

Page 16: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbPayment system issues Payment system issues

Transaction category “card not present” For all bankcard approaches for Internet

Issues Knowing buyer/merchant authorized Avoiding third-party interception Interchange, assessment, fees Retrievals, chargebacks, etc.

• Risk managementRisk management

Page 17: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbPayment system efforts Payment system efforts

Commercenet www.commerce.net

First Virtual Holdings www.fv.com

CyberCash www.cybercash.com

Open Market www.openmarket.com

NetMarket www.netmarket.com

Netscape www.netscape.com

DigiCash www.digicash.com

Page 18: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbScheme “Clear”Scheme “Clear”

ClearingClearingHouseHouse

BuyerBuyer

MerchantMerchant

16+416+4in the clear!in the clear!

16+416+4in the clear!in the clear!

Just trust the net...Easy to capture Easy to capture and replay.and replay.

Page 19: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbScheme “ID”Scheme “ID”

ClearingClearingHouseHouse

BuyerBuyer

MerchantMerchant

16+416+4

IDID

ID ID

16+416+4

StillStill trust the net, untilthe next statement...Easy to capture and replay. Easy to capture and replay.

Page 20: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbScheme “ID confirm”Scheme “ID confirm”

ClearingClearingHouseHouse

BuyerBuyer

16+416+4

ID ID ID ID

ConfirmConfirm

ID ID MerchantMerchant

Each transactionconfirmed.Requires mildlyRequires mildlysafe user account.safe user account.

Page 21: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbScheme “Secure link”Scheme “Secure link”

ClearingClearingHouseHouse

BuyerBuyer

MerchantMerchant

Encrypted Encrypted 16+416+4

16+416+4

Same a telephone, but encrypt over Internet.Merchant gets Merchant gets number. number. Is merchant safe??Is merchant safe??

Page 22: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbScheme “Mediated”Scheme “Mediated”

ClearingClearingHouseHouse

BuyerBuyer

MerchantMerchant

Encrypted Encrypted 16+416+4

Encrypted Encrypted 16+416+4

Only banks sees datain clear.Limited points of Limited points of attack.attack.

Page 23: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbThe standards debateThe standards debate

Open

IP labelingSession SecurityS-HTTP (sort of)

MOSS

Proprietary

SSLSTT

PGP (sort of)S/MIME

Page 24: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bb Freezing out competitionFreezing out competition

Non-interoperability Do it because it’s minemine! Customer lock-in through

proprietary extensions

Half-hearted integration Specialized protocols for each and

every need

Page 25: Securing Transactions: Protocols and Politics D. Crocker Brandenberg Consulting +1 408 246 8253 dcrocker@brandenburg.com D. Crocker Brandenberg Consulting.

© 1995 D. Crocker, Brandenburg Consulting

bbbbbb

bbIs there hope?Is there hope?

Vendor initiatives Market lead

Folded into public standards Open access Open enhancement

It all depends on market demand.It all depends on market demand.YouYou are the market; start demanding! are the market; start demanding!


Recommended