WWDC2000 Session 409

Transcript

Kind: captions
Language: en
tyldus libels web objects and security
because that's what we thought we'd need
after the last session calling security
and to manage the objective-c issues but
I think that actually people behaving
pretty well and I appreciate that but
obviously there's other kinds of
security such as making sure that the
right people can see the right data and
the wrong people don't and for that we
have David Newman David okay okay I've
got a lot to cover so if I do this right
I'll talk real fast and hopefully be
able to follow or it won't be too
confusing this basic things I'm going to
cover include a security concepts and
coding techniques and I created a
special kit for this conference that I
call the whoa security kit and it cludes
a bunch of stuff and in demoing some of
the concepts that you can roll your own
I'm also going to be demoing and effect
aspects of a security kit at the same
time so and then I'll be covering some
b2b applications and security this is a
big word I heard someone said in earlier
talk you know I want to I want to about
you know doing security with my my
application can you tell me about making
my app you know doing security with it
and you know that'sthat's a really big
thing and I'm not even going to be able
to cover all of it I'm going to focus on
secrecy which is what most people think
of when they think of security some
detail on the concept of integrity and a
little bit well I say not covered there
but I mean there's this tiny smidgen on
availability okay so this is sort of the
outline of the talk I'm going to talk
about cryptography first authentication
techniques next and it'll be the heart
of the thing access control and
enterprise objects and finally integrity
of transactions and time permitting I'm
going to get to the fourth bullet
hopefully I'll be able to get to it okay
cryptography originally I wasn't even
going to do the next five slides but I'm
going to go through it anyway doesn't
make sure everyone has a good quick
quickie background primer on the two
kinds of cryptography secret key and
public key secret key is the kind of
stuff that you're probably used to
public keys the stuff that SSL is based
on among other things
so the basic problem with the with a
secret key cryptography is you have to
have this secret in order to have a
secure Channel so you've got to get a
secure channel to get a secure Channel
and that's that's a bit of a problem so
no that's not a half of it then there's
the key distribution aspect of things
once you've got the secret exchange with
your customers if your Acme corporation
you want to encrypt information with
your customers you pretty much have to
establish this secure channel there's
some formal meeting with like all of
them and that's a pretty inefficient
sort of thing to want to do so there's
this key distribution issue now you
could give the same key to everybody but
then you know that'd be very secure so
so move on to public key crypto there is
no secure channel problem in theory
because there's two pieces of the key
the private key that only Acme knows and
the public key that they share and that
can be that is a public artifact it can
be shared in the clear and it also
addresses the key distribution problem
because it can be addressed in the clear
everybody can get the same public key
and talk to Acme in a secure fashion I
say almost because there's two loopholes
the first one is covered by the issue
well the question is how do you know
equi means the real Acme and we have
certificate authorities like Verisign
and Trust net cyber trust etc etc that
you can use as a trusted third party to
issue these kinds of public keys in the
form of digital certificates now there's
a other questions here as well I'm not
going to be able to really get to in any
detail
what does the secure hash what does the
digital signature how do you know which
CH to trust how do you know this trust
Verisign for example how can you tell
that you don't have like a forged ID you
just have this information with the
public key and and how do you know it's
actually from a valid certificate
authority and how can you get the ID to
encrypt a message if you want to send
something to Acme how it's an efficient
way to get their public key and I said
there's two loopholes and what's the
second public key crypto loophole I'll
cover that one later okay SSL we're
getting closer to web objects now this
is an implementation of public key
crypto on the web the basics and one
slide if you can summarize SL in one
slide Acme comm has a digital ID your
browser text the ideas issued by a CA
that it trusts your browser encrypts
some random secret and sends it to the
server the server
our user to that secret as a secret key
for secret key cryptography and you're
doing secret key cryptography they're
there for now and using this with web
objects in some some instances if you're
the developer and not the assistant
minister you're done man you know it's
not that's not your problem you know
they're if it's your app can only be
accessed over SSL you just push that
whole puppy on the guy managing your
netscape server or iis or Apache or
whatever but if you have an application
we're part of it is going to be secure
and part of it is going to be insecure
via you know SSL then you have to know
about some more things you have to know
how to construct these URLs that are
absolute instead of relative which gets
us to the next slide here sort of the
problem although it's not a problem per
se a problem in this particular context
but is web objects generates partial
urls it does not generate absolute that
way your application code doesn't have
to know about some detail about the
deployment that detailed being your web
server in code would be nice not to have
to tell it what your web server is in
any fashion and with a partial URL you
can do that it just assumes whatever web
server was used to access the
application in the first place but if
you're going to force SSL from a non
secure page you're going to have to
create URLs that are full that have a
host name and the secure protocol in
there so forcing this in in web objects
there's three ways you can do it there's
some private objective-c API you could
use to form the full URLs and that's
documented in this tech tech Infotech
note that's online that's the URL for it
or you can create a custom will
hyperlink and will form implementation
this is sort of what I've done in the
past or there's this clever little
redirect technique and this technique is
also documented in the info center and
this method lets you basically use the
normal element chef to create your own
custom hyperlink it will form in order
to make it work but the one downside of
that third bullet is you can't control
the granularity of this at the subpage
granularity the second technique is
really nice and good for most
applications but if some of your links
need to be secured some need to be
insecure you may need to do the second
bullet so here's a just an example if
you were going to implement your own
custom secure hyperlink here's sort of
the ingredients of it your secure high
link component would contain declaration
very much like this for a WA generic
container it's got an element of a four
anchor it's got a couple you probably
probably heard the href binding which is
basically the explicit href that's going
to show in the page you probably have
not heard of the action the excuse me
the invoke action binding this is a neat
way of basically saying for this href
invoke this server side action normally
you do that all in one there's one bind
you know in a wool hyperlink it's
actually equal some method in your page
but here you basically got two bindings
for that one that constructs the URL you
want to represent that action so this is
how that works and if you want a
starting point take a look at W X
hyperlink and the component elements
framework that's some web objects
examples frameworks you'll find it an
info center and in your implementation
of this component you'd have a custom
version of that method I'm calling href
and my simplistic method hard codes the
protocol and the hostname and then
append that to the component action URL
that you get from the context and that's
it so it's actually fairly trivial to do
except now you have to use secure
hyperlink everywhere instead of W
instead of will hyperlink okay so this
is this is security so it's going to be
boring my demos don't have any flash
there's nothing swirling around it's
just well you'll see okay this is my
little test app this is the application
that I've included in the low security
kit which by the way will be available
at a download at the WWC download sites
or whatever I'll give you the URL for it
later so it's got a bunch of different
things I'm going to be testing here
later but right now we've got this go in
secure and go secure right now I'm in
secure mode so I'll go in secure and
I'll go secure and secure secure
you say you know steve has that action
with the window you know I got this
alright okay going that was that that
was demo number one okay now sometimes
you might want to encrypt
programmatically and why you'd want to
do that a few occasions actually maybe a
lot the number the examples that give
there if you've got some passwords in
the database some personal information
credit card numbers some people I know
at a company lost some of those and I
think an other question is how this is
kind of a sticky issue because you know
there's all these export restrictions
the National Security Agency such a big
tight wad about this and the export
thing so you know you just can't ship
something that has strong cryptography
usually you have to you know ship
something without adding yet to link the
other stuff in later and then you have
to pay a fortune to will never anyway
you gotta be safe here and J safe these
are commercial crypto libraries one is
sea bass one is Java base and they're
both from RSA data systems I suppose
these are the big ones the ones that
most people out there using the
commercial space but there are some free
ones or sort of free until CDSA I
believe includes some crypto stuff
Microsoft's crypto live is free but just
runs on wind 32
I think SS even know how to pronounce
this thing I think it's SS ly some
people say SSL EA why whatever hey it's
for free you can get it and you know do
some cryptography with it now on the
encryption techniques the one thing that
is really simplistic is explicitly
encrypt stuff but if you have some AOS
you have like a password thing in the
enterprise object you might add a couple
access or methods to it like you know
encrypted password setting cryptid
password and then do the encryption and
decryption in there and you might have
actually add a little state to your
object to have a cache so you don't have
to keep doing that every time the things
accessed that's just one thing that I've
seen done now question they're not going
to be able to answer here maybe we can
talk about it at the end or what key
size should you use for this sort of
thing and does my day to get less secure
as computing power increases I've kind
of got my own opinion about that okay
this is the basically the meat of the
thing authentication techniques
authentication is base
we broke into these I call them like
four types of compartments you've got
the logical in the physical and on the
logical part you have to answer the
questions are who you claim to be and if
so do you have access and then there's
the physical piece the presentation
specific and the business policy
specific it turns out if it's difficult
to make a login panel you think well
login panels a couple text fields and a
button now it could be easier than that
but there's a questions about when the
login where do you go when you login
there's different ways of logging in all
these different sort of presentation
styles so I've tried to cover some of
these things in the security key without
telling you down but anyway when to
login this is one one of the questions
that gets asked maybe you want a web
object session you don't even allow the
session unless they're logged in which
could be kind of tricky since web
objects create the session by default
when you access it so you could allow
surfing you know like creating a session
you're going to design your own business
to the web app and then try to do
something sensitive and then doing an on
demand type of login or maybe you know
you do the on demand login and then you
use it reen a vagator or you do an on
demand login and you go straight to the
page or they wanted to access which is
actually usually the most desirable and
then there's the session timeout session
times out and then you know you want to
maybe instead of showing hey your
session timed up great about just the
login page and as you can get right back
into where you were leaving off okay and
then there's this notion I call access
posture basically I try to encode away
or you need probably have to do this by
hand yourself where you want to default
to deny everything or default to allow
everything default to allow or deny
direct actions default to deny or allow
privacy maybe a page can only be viewed
under SSL or maybe you don't want to
allow viewing any pages unless they're
over SSL but with certain exceptions for
each of those three cases okay and then
then these are like the three kinds of
actually there's four kinds of ways of a
gathering credentials I've listed for
their HTML page HTTP login panel by that
I mean that little up challenge thing
that comes up and you type its actual
physical panel instead of a page that
your browser raises up a digital
certificate or a cookie and there's many
different ways to verify
chosen the atop stuff is very
presentation specific in fact it's
entirely presentation specifically the
ones in the middle are very your company
specific and the whoa off policy
framework provides all bids now it
doesn't provide the cookie
authentication technique but it provides
the other three and provide some
delegation hooks for your your custom
verification business logic now going to
the session let's login this gets the
one area what is sort of like
availability related a session can be a
kind of a heavyweight thing so you might
not want to create one if you can help
it you maybe you only want to allow him
if the person is allowed to had
successfully logged in you also might
want to be able to with a session let's
log and you can bookmark the login page
it also lets you have be able to attempt
the login I get a session expired had
some customers who were kind of
complaining to me once ok created this
login page my customer was there they
left it up there they went and got some
coffee came back logged into things that
session exported and do a damn thing
what did the session expire so be kind
of nice to have a session with login
that where you could not run into that
irritation and in order to use this if
using an HTML page it's used a wolf form
and some direct action so these are sort
of the basic logical things you need to
do this person is hard to say I think
default an action show of about three or
four times in it use the direct action
action handler as a default action
handler that's I've got the code for
that in the next slide but I think
that's actually clearer than that
anyway force web I'll just go to your
login page instead of main by default we
go to main and main may have things
which indirectly or indirectly or
indirectly kick off a session that you
don't want and then when you create your
login page you have to be very careful
you don't call session anywhere so you
do that you create your login page and
it doesn't and yet sessions are getting
created you're wondering why and in
terms that you've got a component on
your page and that component happened
refer to a session which meant the
session got created and then you got rid
of all those and go okay everything's
hunky-dory and go sessions still getting
created and that katakan contact happen
because maybe there's a component action
if there's a wou hyperlink and you've
bound that action to it and that shows
up on the page well compounder actions
imply a session so one will be
created for you to put that session ID
in and when the page returns so you have
to be really really careful at the it
might not be web objects it might be
your code actually so you could be
really careful about that now this is
the sort of the code that you can use to
sort of implement all this there's other
code involved but these are sort of this
what I call a secret handshake type of
code so in your direct action subclass
you'd want to override default action
and return login page instead of main
that'll take you to the login page
instead of whatever the main page is the
second point there forces the system
instead of like defaulting the component
action handler when you initially access
your app it'll use the direct action
action handler which does not create a
session unless you explicitly tell it to
so the combination of those two things
what you have a session with login so to
a demo of that all right this is HTML so
let's go to the policy editor here okay
it's already HTML good
all right so I'll go to this I've got
various links here that do various
things this is the private one so this
one needs to be over SSL this is a going
to require a login so I'll just do a log
in here and fail try and successfully
log in and they're in so just got a flag
this is when I'm logged in and I'm also
over secure mode so anyway that was that
exciting demo so let's move on okay
HTTP challenge panel now this sounds
like it should be really easy to do and
unfortunately it's tricky as hell
there's a tech note in the info center
that shows you how to do it and in order
to make it work you're a low response
object must admit certain statuses it
has to also set a certain header and
then you have to look for a certain kind
of header when it comes in oh and you
get all that working and it doesn't work
because the web server using has an
interface it doesn't actually pass the
authorization header and then once
you've got all that you think you're out
of the woods you get this blob of basics
before encoded muck that you have to
like walk through so it can be a little
tricky the first to get you started
those are that's the status you need to
set and the header you need to set on
the outgoing response to at least force
the panel to come up then you need to
look for a hetero named authorization on
the incoming will request and look at
the content of that and CGI with
Netscape at least does not pass that
header other web servers at CGI may I'm
not sure NS API definitely does and this
demo is all happening on NS API they
should be yes yeah in fact actually made
them kind of wordy so you know you'd be
able to maybe treat a mess or like a
mini outline this is something that
could be useful if you're decoding
base64 data this is just part of the
standard JDK the base64 decoder object
and once you have a normal character
string that you get from that you can
parse the string and get the username
and password out of it okay so I'll show
that
go to HTTP panel submits and I'll start
a new session when I'm not logged in
with and I'll go to the login required
pops up this little panel and man now
when that thing is kind of neat there's
that this is this login technique it's
using the exact same business logic
actually do the login but you know is
able to kind of on-the-fly change the
whole way in which credentials were
gathered they're using that little
policy framework thing so anyway more on
that later
can you to move on I don't have one of
those little things to throw at them
okay logging in without a login panel
cookies I've kind of done this once and
regretted it because you do this should
stick to username and password in the
browser and then this guy who has
administration capability decides all
all accesses from someone else's
computer and you just left your password
in their computer so probably not a good
idea plus I guess was recently it came
out that if you're an enterprising
website you can pretty much get anyone's
cookies if they're using IE so maybe
that's a feature
now if you're going to log in without a
login panel you could use digital
certificates this is really the ultimate
use of security although it does have a
bit of baggage that comes with it it
reverses the role of username and
password by that I mean basically the
SSL protocol proves that you are who you
say you are and then you decide whether
you have access as opposed to the other
way around
and obviously requires SSL to make that
work okay
now if you're in a web objects
application if you get a digital
certificate it's going to come in on a
header called the client cert and once
you've got that client cert it's encoded
in this ace and one blob and base64
format now you could go and walk that in
parse it yourself or could use some dot
security x.509 and just use that
collection of classes just create
yourself an x.509 certificate of time
and then you might want to a validated
status in your code actually see if the
certificate hasn't been revoked and the
security kit includes a wrapper for a
framework from a balla cert that wraps a
such a type of status checker now
there's one little sort of hang up in
all this and use it with web objects
well there's two ways you can grant
access the digital certificates you can
just leave it all of the web server and
configure the web server to trust
certain CAS and certain digital
certificates issued by those CAS and
just be done with it
you know they pass that test they're in
if not they don't get in but odds are
you might just want to configure it with
a CH you wish to trust let the
certificate come into your application
and then look at the contents of the
security of the certificate who the
person is whether from etc etc and then
decide whether or not they get access
and that sounds great except like the
slide says the web objects adapters
don't actually pass the serta long
intact or they don't even pass it at all
so the low security kit includes a some
source code for CGI and in its API
adapter in binary form is the binaries
and the source that pass the certificate
correctly and don't even leak so so this
brings me to that second loophole just
because you have an unexpired digital ID
issued by a trusted CA does not mean
that it's a good it could be revoked
could be if you if your application just
trusts a certificate like that it
very analogous you going to like Target
or whatever whipping up your credit card
saying hey look credit card
it's Visa okay give me $1,000 with stuff
and they just did it like what you know
it's amazing cards got a hologram it's
good right now they're going to take it
they're going to swipe it through some
little device and check whether or not
it's actually been stolen and as hot as
hell so you probably ought to check the
ID and there's two ways of doing that
you can download a certificate
revocation list from the certificate
authority or you can contact a VA to to
check the status of the certificate okay
now I'm going to kind of get off into a
little bit of lala land here I'm going
to try and go through these kind of fest
like you should probably skip them but I
think it's important that some of this
information is is known it wasn't really
known to me six months ago so let me
just kind of run through it the way this
works with the user is that you know
that user has if they have a certificate
they've got a private key and they
unlock that private key with with a
passphrase and at first this struck me
it's kind of bogus I mean we go to all
this trouble to have the certificate if
it doesn't believably encoded long ten
thousand bit key and then I unlock it
with fubar you know just something not
right there so
but unlike username and password
scenario this passphrase is something
you created it's not shared with anyone
it's just and it never leaves your
computer in theory it's something just
between you in the computer and only you
know it so it's not quite as bad but
it's still a little a little weak and
there's this other sort of downside to
you've got this private key in a file so
you pretty can't a username and password
if you can remember it you can pretty
much take it with you anywhere but now
you have to sort of carry this document
with you and you have to put it on a
floppy if you want it to be portable so
typically these things aren't portable
they just sit on one machine and having
things in files of a pretty
extraordinarily lame way of establishing
security so there's been some things
that have been called smart cards that
try to address this where you put all
this information on a smart card a smart
card has a CPU that does all the crypto
on it the private key never leaves the
card so the hacker would have to steal
your card in order to impersonate you
and there can be some smart cards that
can get Tasha devices to accept your
peste raised directly and for the truly
paranoid that device can be a biometric
so you know you could basically log into
a website by sticking your smart card
into a reader putting your thumb on it
and then you're logged in so that's
pretty good security unless someone cut
your thumb off so getting another demo
okay I'm going to close the IE here and
come back into it because I want to I'm
going to show you like the thing
prompting for a digital certificate I'm
just going to do a digital certificate
login so go to the policy editor here
and pick certificate and I'll go to
something that requires a login and in
this case my computer's not hooked up to
the internet so I couldn't actually go
out to check the status of the
certificate well actually that was a I
was actually that page is private let me
change the policy on that page so it
isn't private anymore
see page to remove I think I would have
had this set up before I came in here
would chair okay okay good oh there we
go so a panel pops up it asks for your
certificate you pick the one you want I
happen to have three I'm just going to
pick this one and and go to at some
insecure mode now now I'll go to the
log-in required page says okay your
certificate is not granted access and
the user info that you can't read
unfortunately says could not get status
response validation results response
status equals no so you might have your
own policy for this you might just grant
them all or you might do something else
the point is I have a delegate hook that
you call it passes in the certificate
and you can do anything you want
and in that hook to determine what
you're going to do so okay going back to
this okay now blocking access to your AB
this can be a little tricky because
someone might add a direct action it's
actually possible to override page with
name and like maybe have something that
says well if this form values there
we'll just go to this page I mean
there's lots of different ways of coding
things but maybe you wrote something in
an after-the-fact someone added a direct
action or added this sort of hack in
there that I was meant to do something
but sort of defeated your security
policy but if you override a Pender
response and that page is a component
you can basically catch this sort of
stuff to make sure that a certain test
is always okay before you allow that
page to be generated now that's for well
that's for generating a component that
does not cover invoking a direct action
it's very hard to invoke the component
action unless you have a session so if
it's okay to see the hyperlink it's
probably okay to execute it but it might
not be okay to go to where that saying
takes you maybe three of the four
different pages it might take you to
would be okay but the fourth one might
require you to log in so that append
your response check will handle that but
if it's a direct action
I mean someone can just type that in
there then you need a page for that they
can just type that right in their
browser and go straight there so this is
the choke point for handling that for
generating pages it's appended response
for handling direct actions it's this
method perform action named
asses in the name of the action you're
about to fire then you know the full
path to it like fubar slash action name
and if you put some Guardian code in
these two places you can pretty much
protect things pretty well so this is
sort of an example of what code like
that might look like I've got the penned
response I've got some hypothetical
method called should deny page
generation and if you shouldn't then you
just call super and processes normal but
if you should not if it's illegal for
you to go there because you're not
allowed me because you're not logged in
I create a login page and set the
content on it and I get the content by
generated response on the login page
there so there's a lot going on that
line right there in the middle but
that's one way of dynamically popping up
a login panel if you're not allowed now
to do on-demand login this is that thing
I talked about where you aren't allowed
access to something login panel pops up
and then you just successfully pass the
test and you just immediately go to the
place that you want to go instead of
having to read a great into all this
other nonsense and the way I recommend
doing that is when you create that login
page set the name on the page don't
create an instance of a component or a
page and set the page on that because
I've actually seen some some people
doing that and I guess that's fine in
most cases but there can be side effects
and you generate a page if you're not
allowed to go there even see it why
should you even construct the thing that
could be you might be doing something in
a wake or in the constructor that you
don't want to do so if you just pass the
page name in most cases that's going to
be lighter weight and more secure anyway
so let's do that
okay enough to change the policy here
I'll go to panel and let's say login is
required for this so I'm going to page
three that's the page I want to go to
and I'm in so now if I try to go back
and access that again
you know the panel doesn't come up
because the session knows that I'm
logged in so that's that now the
security kit what I've got in this thing
is a modified whoa adapters I talked
about I included a security white paper
in there which kind of goes into more
detail my presentation does it's got
this WX off policy framework which
incorporates all the stuff you've been
seeing me play around with here I've
also got a framework that wraps some
stuff from a company called I think it's
CeeLo they're Swedish maybe it's C Lou
or whatever but it's I made a plug in
they took plug in that'll do a digital
signature in your browser it's got a
framework Trevon there's a balla cert
framework that have wrapped there and
created a java wrapper for it as well
and then the demo app itself which uses
all the above so the things that are in
the off policy thing I've got the
credential gathering that you've seen
hooks for custom business logic I've got
this notion of access posture for pages
actions and privacy there's the SSL
access toggling support in there just
one method you have to call to do that
little toggle between secure and
insecure pages
then there's the session las' login
support and some other stuff and the
easiest way to find out how to use it is
just to take a look at the CF n dot app
that I've created now unfortunately the
only way I was able to really guarantee
lockdown of the application was to force
you to subclass your component session
direct action and application from my
abstract super classes so sorry about
that but you know that's security for
you it's constraining policy can be set
in code or be a GUI component that
component you saw there is part of the
kit you can drop that on a page and
control your policy interactively with
that thing and you can get it at this
link enterprise's Apple comm WWDC 2008
with the name of my accession like 409 I
believe and then in that I've got two
files one is just the soar
our code stuff with all the frameworks
and the other one is just this big
honkin blob that has the freebies from
Cee Lo and Bowser so let's do a demo
this thing actually sort of seen part of
it but anyway you kind of see how we got
different resources here I've got a page
which let me just sort of get a new
session here okay I've got page one
which you can access in any case it's
always okay to access page one page two
used to be private I'll go and make it
private again actually I'll show you how
this this works
page two and okay
okay I'll go actually go insecure I'm on
a secure link so if I go if I come in
over a secure link the thing detects
that I did not access this page over SSL
and goes whoa you're not supposed to see
this unless this thing got encrypted so
I'm not even going to Sunday I'm gonna
send you this instead okay and you saw
how I was able to like flip that on and
off by just adding a page name to a list
that's what I meant by an access posture
so sort of go back to that policy editor
so I've got these three access postures
one is for page generation so I'm
defaulting to denying all page
generation with those exceptions page 1
page 2 policy editor page in main are ok
you can see those without logging in
I've got only one direct action that I'm
allowing default action that's the
action that gets called when when the
page is initially created on session
creation and then there's a should deny
all pages not secured right now I'm
allowing all pages to show up under non
SSL except for those three pages right
there and you know there's some other
things going on here as well but I mean
that's sort of the the main part of it
so move on to the next thing
this guy with the demo things I'm going
to flip back influence probably getting
pissed okay
access control now this is the notion of
ok they've gotten into your application
now what did I just get like it to walk
all over everything and everything they
want but I think in my experience it's
come down to answering two questions and
it comes down to answer your yo s
answering these questions given an
instance of entity a can user B see it
or and if so edit it and this access
depends on the state of both of these
things what kind of view is being edited
and what you know what kind of users
attempting to edit it this administrator
maybe they get to if it's my mother Joe
Schmoe maybe they can't and this is sort
of what I would call the basic you know
access control protocol of your EOS
might and might implement can show and
can edit getting passed in a user I
assume everyone who has an eel model who
has a commercial application is going to
have a user entity so that's the thing
that would get passed in here and this
might be a sample hierarchy that you'd
have at security oriented you have
generic AO which would implement the
default access policy
you'd have secured do which would
dictate certain schema because either
euros that need to be secured as opposed
to not shown so that might have to have
certain relationships to other objects
to work and then I've got product in
that little diagram which is an example
of a concrete AO so you never have an
instance of a generic key or security
you'd only have instances of a concrete
subclass so this is a sample
implementation of what generic EO might
look like both returning true therefore
your default access policies allow
everyone to see and edit and then you
have exceptions now for security EO this
is just again a sample imitation and I
assume that anything that inherits from
security o that those entities have a 2
1 relationship to a user table called
creator and it's got a too many
relationship to a nut also to the user
table called owners so if the user is
equal to creator return true if the user
Peston happens to be one of the people
that owns the thing return true else
return false and you can see I can edit
policy says well if you can see it you
can edit it now you can make this more
elaborate but the beauty of about
putting this in this abstract superclass
called security o is that if you can you
can have a pretty sophisticated policy
that all of your enterprise objects
implement in one place and the logic is
in the EOS it's not in the top of the
pages asking these questions deciding
which you can see what you can't see
it's down below all your pages have to
do is know how to ask the question they
don't have to implement the policy now
if the policy gets more interesting you
might use this thing called
discretionary access control and if you
did you want to add more relationships
than the ones I had like creator owners
groups permission and basically the
submit how the UNIX file system works if
you really anal like the Department of
Defense you might have mandatory access
control so you've got set of permissions
you have these things called security
levels and instead of groups you have
this thing called compartments and in
addition to just adjusting what you can
see and edit it actually affects more
than that it affects what you can do in
terms of inserting information into the
in this case a database so my example
here is to actually implement Mac in web
objects you'd have to take take
advantage some delegates on the editing
context so if
certain compartments if you're a user if
you're a secret user and you're editing
things in the marketing department you
cannot physically save or insert
information into the accounting table
that's unclassified for example which is
totally opposite of what you think
on UNIX I mean if you're the root user
goddamn and you can write anywhere you
want you know that's the whole thing
about being rude but in this case you
know if you are mr. super top secret you
can't write anything except top secret
so you're editing context delegate would
make sure that before it actually
allowed an insert to happen that you
know certain relationships were set and
if they weren't said it would really
reject or raise an exception so getting
to integrity this is the fourth section
aspects of integrity are data corruption
testing making sure something hasn't
been tampered verifying the origin and
it's implemented using digital
signatures and public key cryptography
and it's a key thing here is a digital
signature and a digital signature is
created by something called hashing a
message that's just both baggage takes
your message puts it into something
fixed size and then you use this private
key to encrypt that and that encrypted
saying is a test to your message and
that's a digital signature in 100 words
or less okay non-repudiation this is
this thing that is really great to have
an e-commerce space where you can prove
that that jackass actually bought the
ten thousand dollar rocking chair okay
so in the in the physical world you use
ink signatures in a digital world to use
digital signatures so business to
consumer digital signatures this
requires unfortunately some client-side
stuff I think this is one reason this
hasn't really taken off in the consumer
space because you need all this stuff
but the other clients require a browser
plugin and example applications would be
employee form processing a brokerage
enrollment account paperless workflow
and authorization now there is one
development that's happened here they're
American Express they don't know if
everyone realizes it but you know these
blue cards it's a smart card right now
you seem to commercial them like
twisting it and turning it and pulling
it all the other well they
don't tell anybody this is actually
digital certificate on here it's issued
by a company called Cybertron
which used to be a division of GE and
was bought by a/c a company called
Baltimore out of Ireland and you really
could do cryptography on your system if
they ever get around to it so sort of
interesting people don't even realize it
but there is something getting out there
so slowly I guess it's getting into the
consumer space remind me not to leave
that there okay so I'm going to do a
demo here of I was going to originally
make this whole like elaborate thing I
was going to have all this graphics on
here ended up with this ugly thing but
I'm going to log in to this guy and
actually this needs to be over SSL so
let's go secure and go back to it okay
so this is like the sort of business
plan I had over talking a friend of mine
at lunch I said you know why don't we
have this like website that you access
over SSL these are digital signatures
and you digitally sign a confession and
then someone in the Vatican responds to
you okay so you did something really bad
like I like sheep say you know
and this is going to load a plugin which
has the information about to sign I'm
going to pick the certificate I'm going
to use enter my past and sign and send
this and this is basically what the
server got it got the certificate I used
to sign it and this thing at the bottom
is just the basic ste 4 encoded assigned
blob so you know I have proof that I
agreed I wrote the statement and that I
did what I did and so that you know that
they know and they can they maybe send
me an email saying well you know you're
forgiven if you whatever now I bring
this up because it does get to the point
of who do you trust now I sent this to
this website you know confession com
website and I think you know I trust
these guys they have the certificate
it's issued what I didn't know is that
they're a private key was compromised
the other day by another company
operated out of the Cayman Islands
called extortion comm okay and they have
this business of selling information to
you for a profit so you know you have to
check credentials or something like that
could happen to you so anyway going back
to the slides here okay a business to
business digital signatures now this is
instead of a consumer talking to your
web objects application this is to web
objects applications talking to each
other directly or just to none with
objects applications or are you talking
to a non web objects application of them
talking to you and an example this is
basically any kind of a EDI message and
the classic one among many is the
purchase order so in web objects there's
some infrastructure for this so that in
forw direct actions can a great way of
exposing api to your application on the
web over port 80 over HTTP and and so
forth and in 45 added a couple of things
which makes it even easier it was very
difficult in 402 open to basically
encode talk to her mode web objects
application now if you knew all about
socket programming other stuff and you
know programmers know about sockets but
not everybody knows about sockets okay
and and it is a bit cumbersome and stuff
sometimes now it's very easy in four or
five I mean you can create a request in
code send it to remote website get a
well response back in code and in do all
that now the next question is what
the contents you put into those things
and the standard that's coming out is
XML so you'll see some you know there's
XML support and in four five four it's
already easy to generate XML web objects
is very good generating any kind of
content but when you've got some from
some other source like another web
objects application or some other random
entity you didn't really have anything
to parse it and the IBM parser that's
included you you know you can use to
departs it in a meaningful data so just
a simple quick b2b scenario here PEO is
issued to widget Co by acne corporation
it creates an XML document it signs it
uses using Java Sun dot security package
which includes a digital signature stuff
you encrypt this information using
widget goes public key so it's nice and
private and you sent and you send it
using the world message API and then on
the other end widget code receives this
Pio from acne they decrypt it with their
private key they verify the digital
signatures valid basically be doing the
simple digital signature test they make
sure the ID is valid I mean someone
could issue a purchase order for ten
million dollars of the video equipment
and we're just going to take that you
know you want some credentials or and
that in the physical world you have a
fax that signed but in the digital world
you need to do this mathematically so
you know you want to check the digital
ID on that well I'll go to that anecdote
and later create a digital receipt this
is what you'd want widget code to do
they can basically take all this
information just tie it up in a bow
right they've got your signed request
they know that they agree to do it they
get something called a digital timestamp
and they wrap it all up in their digital
signature and then they return this and
maybe even store it and so now they have
mathematical proof that you asked for
this and that you agreed to it at this
time so it's a pretty neat thing so in
summary we've covered some cryptography
a little primer and how it works and
mainly some stuff on SSL and how to do
that in a web Bob cheeks application a
bunch of stuff on authentication
techniques some stuff on access control
and enterprise objects and then
integrity of transactions using digital
signatures and so forth so
more information you seen is about a
billion times who to contact Tony
earnest and Q&A
[Applause]