WWDC2000 Session 409

Transcript

Kind: captions Language: en tyldus libels web objects and security because that's what we thought we'd need after the last session calling security and to manage the objective-c issues but I think that actually people behaving pretty well and I appreciate that but obviously there's other kinds of security such as making sure that the right people can see the right data and the wrong people don't and for that we have David Newman David okay okay I've got a lot to cover so if I do this right I'll talk real fast and hopefully be able to follow or it won't be too confusing this basic things I'm going to cover include a security concepts and coding techniques and I created a special kit for this conference that I call the whoa security kit and it cludes a bunch of stuff and in demoing some of the concepts that you can roll your own I'm also going to be demoing and effect aspects of a security kit at the same time so and then I'll be covering some b2b applications and security this is a big word I heard someone said in earlier talk you know I want to I want to about you know doing security with my my application can you tell me about making my app you know doing security with it and you know that'sthat's a really big thing and I'm not even going to be able to cover all of it I'm going to focus on secrecy which is what most people think of when they think of security some detail on the concept of integrity and a little bit well I say not covered there but I mean there's this tiny smidgen on availability okay so this is sort of the outline of the talk I'm going to talk about cryptography first authentication techniques next and it'll be the heart of the thing access control and enterprise objects and finally integrity of transactions and time permitting I'm going to get to the fourth bullet hopefully I'll be able to get to it okay cryptography originally I wasn't even going to do the next five slides but I'm going to go through it anyway doesn't make sure everyone has a good quick quickie background primer on the two kinds of cryptography secret key and public key secret key is the kind of stuff that you're probably used to public keys the stuff that SSL is based on among other things so the basic problem with the with a secret key cryptography is you have to have this secret in order to have a secure Channel so you've got to get a secure channel to get a secure Channel and that's that's a bit of a problem so no that's not a half of it then there's the key distribution aspect of things once you've got the secret exchange with your customers if your Acme corporation you want to encrypt information with your customers you pretty much have to establish this secure channel there's some formal meeting with like all of them and that's a pretty inefficient sort of thing to want to do so there's this key distribution issue now you could give the same key to everybody but then you know that'd be very secure so so move on to public key crypto there is no secure channel problem in theory because there's two pieces of the key the private key that only Acme knows and the public key that they share and that can be that is a public artifact it can be shared in the clear and it also addresses the key distribution problem because it can be addressed in the clear everybody can get the same public key and talk to Acme in a secure fashion I say almost because there's two loopholes the first one is covered by the issue well the question is how do you know equi means the real Acme and we have certificate authorities like Verisign and Trust net cyber trust etc etc that you can use as a trusted third party to issue these kinds of public keys in the form of digital certificates now there's a other questions here as well I'm not going to be able to really get to in any detail what does the secure hash what does the digital signature how do you know which CH to trust how do you know this trust Verisign for example how can you tell that you don't have like a forged ID you just have this information with the public key and and how do you know it's actually from a valid certificate authority and how can you get the ID to encrypt a message if you want to send something to Acme how it's an efficient way to get their public key and I said there's two loopholes and what's the second public key crypto loophole I'll cover that one later okay SSL we're getting closer to web objects now this is an implementation of public key crypto on the web the basics and one slide if you can summarize SL in one slide Acme comm has a digital ID your browser text the ideas issued by a CA that it trusts your browser encrypts some random secret and sends it to the server the server our user to that secret as a secret key for secret key cryptography and you're doing secret key cryptography they're there for now and using this with web objects in some some instances if you're the developer and not the assistant minister you're done man you know it's not that's not your problem you know they're if it's your app can only be accessed over SSL you just push that whole puppy on the guy managing your netscape server or iis or Apache or whatever but if you have an application we're part of it is going to be secure and part of it is going to be insecure via you know SSL then you have to know about some more things you have to know how to construct these URLs that are absolute instead of relative which gets us to the next slide here sort of the problem although it's not a problem per se a problem in this particular context but is web objects generates partial urls it does not generate absolute that way your application code doesn't have to know about some detail about the deployment that detailed being your web server in code would be nice not to have to tell it what your web server is in any fashion and with a partial URL you can do that it just assumes whatever web server was used to access the application in the first place but if you're going to force SSL from a non secure page you're going to have to create URLs that are full that have a host name and the secure protocol in there so forcing this in in web objects there's three ways you can do it there's some private objective-c API you could use to form the full URLs and that's documented in this tech tech Infotech note that's online that's the URL for it or you can create a custom will hyperlink and will form implementation this is sort of what I've done in the past or there's this clever little redirect technique and this technique is also documented in the info center and this method lets you basically use the normal element chef to create your own custom hyperlink it will form in order to make it work but the one downside of that third bullet is you can't control the granularity of this at the subpage granularity the second technique is really nice and good for most applications but if some of your links need to be secured some need to be insecure you may need to do the second bullet so here's a just an example if you were going to implement your own custom secure hyperlink here's sort of the ingredients of it your secure high link component would contain declaration very much like this for a WA generic container it's got an element of a four anchor it's got a couple you probably probably heard the href binding which is basically the explicit href that's going to show in the page you probably have not heard of the action the excuse me the invoke action binding this is a neat way of basically saying for this href invoke this server side action normally you do that all in one there's one bind you know in a wool hyperlink it's actually equal some method in your page but here you basically got two bindings for that one that constructs the URL you want to represent that action so this is how that works and if you want a starting point take a look at W X hyperlink and the component elements framework that's some web objects examples frameworks you'll find it an info center and in your implementation of this component you'd have a custom version of that method I'm calling href and my simplistic method hard codes the protocol and the hostname and then append that to the component action URL that you get from the context and that's it so it's actually fairly trivial to do except now you have to use secure hyperlink everywhere instead of W instead of will hyperlink okay so this is this is security so it's going to be boring my demos don't have any flash there's nothing swirling around it's just well you'll see okay this is my little test app this is the application that I've included in the low security kit which by the way will be available at a download at the WWC download sites or whatever I'll give you the URL for it later so it's got a bunch of different things I'm going to be testing here later but right now we've got this go in secure and go secure right now I'm in secure mode so I'll go in secure and I'll go secure and secure secure you say you know steve has that action with the window you know I got this alright okay going that was that that was demo number one okay now sometimes you might want to encrypt programmatically and why you'd want to do that a few occasions actually maybe a lot the number the examples that give there if you've got some passwords in the database some personal information credit card numbers some people I know at a company lost some of those and I think an other question is how this is kind of a sticky issue because you know there's all these export restrictions the National Security Agency such a big tight wad about this and the export thing so you know you just can't ship something that has strong cryptography usually you have to you know ship something without adding yet to link the other stuff in later and then you have to pay a fortune to will never anyway you gotta be safe here and J safe these are commercial crypto libraries one is sea bass one is Java base and they're both from RSA data systems I suppose these are the big ones the ones that most people out there using the commercial space but there are some free ones or sort of free until CDSA I believe includes some crypto stuff Microsoft's crypto live is free but just runs on wind 32 I think SS even know how to pronounce this thing I think it's SS ly some people say SSL EA why whatever hey it's for free you can get it and you know do some cryptography with it now on the encryption techniques the one thing that is really simplistic is explicitly encrypt stuff but if you have some AOS you have like a password thing in the enterprise object you might add a couple access or methods to it like you know encrypted password setting cryptid password and then do the encryption and decryption in there and you might have actually add a little state to your object to have a cache so you don't have to keep doing that every time the things accessed that's just one thing that I've seen done now question they're not going to be able to answer here maybe we can talk about it at the end or what key size should you use for this sort of thing and does my day to get less secure as computing power increases I've kind of got my own opinion about that okay this is the basically the meat of the thing authentication techniques authentication is base we broke into these I call them like four types of compartments you've got the logical in the physical and on the logical part you have to answer the questions are who you claim to be and if so do you have access and then there's the physical piece the presentation specific and the business policy specific it turns out if it's difficult to make a login panel you think well login panels a couple text fields and a button now it could be easier than that but there's a questions about when the login where do you go when you login there's different ways of logging in all these different sort of presentation styles so I've tried to cover some of these things in the security key without telling you down but anyway when to login this is one one of the questions that gets asked maybe you want a web object session you don't even allow the session unless they're logged in which could be kind of tricky since web objects create the session by default when you access it so you could allow surfing you know like creating a session you're going to design your own business to the web app and then try to do something sensitive and then doing an on demand type of login or maybe you know you do the on demand login and then you use it reen a vagator or you do an on demand login and you go straight to the page or they wanted to access which is actually usually the most desirable and then there's the session timeout session times out and then you know you want to maybe instead of showing hey your session timed up great about just the login page and as you can get right back into where you were leaving off okay and then there's this notion I call access posture basically I try to encode away or you need probably have to do this by hand yourself where you want to default to deny everything or default to allow everything default to allow or deny direct actions default to deny or allow privacy maybe a page can only be viewed under SSL or maybe you don't want to allow viewing any pages unless they're over SSL but with certain exceptions for each of those three cases okay and then then these are like the three kinds of actually there's four kinds of ways of a gathering credentials I've listed for their HTML page HTTP login panel by that I mean that little up challenge thing that comes up and you type its actual physical panel instead of a page that your browser raises up a digital certificate or a cookie and there's many different ways to verify chosen the atop stuff is very presentation specific in fact it's entirely presentation specifically the ones in the middle are very your company specific and the whoa off policy framework provides all bids now it doesn't provide the cookie authentication technique but it provides the other three and provide some delegation hooks for your your custom verification business logic now going to the session let's login this gets the one area what is sort of like availability related a session can be a kind of a heavyweight thing so you might not want to create one if you can help it you maybe you only want to allow him if the person is allowed to had successfully logged in you also might want to be able to with a session let's log and you can bookmark the login page it also lets you have be able to attempt the login I get a session expired had some customers who were kind of complaining to me once ok created this login page my customer was there they left it up there they went and got some coffee came back logged into things that session exported and do a damn thing what did the session expire so be kind of nice to have a session with login that where you could not run into that irritation and in order to use this if using an HTML page it's used a wolf form and some direct action so these are sort of the basic logical things you need to do this person is hard to say I think default an action show of about three or four times in it use the direct action action handler as a default action handler that's I've got the code for that in the next slide but I think that's actually clearer than that anyway force web I'll just go to your login page instead of main by default we go to main and main may have things which indirectly or indirectly or indirectly kick off a session that you don't want and then when you create your login page you have to be very careful you don't call session anywhere so you do that you create your login page and it doesn't and yet sessions are getting created you're wondering why and in terms that you've got a component on your page and that component happened refer to a session which meant the session got created and then you got rid of all those and go okay everything's hunky-dory and go sessions still getting created and that katakan contact happen because maybe there's a component action if there's a wou hyperlink and you've bound that action to it and that shows up on the page well compounder actions imply a session so one will be created for you to put that session ID in and when the page returns so you have to be really really careful at the it might not be web objects it might be your code actually so you could be really careful about that now this is the sort of the code that you can use to sort of implement all this there's other code involved but these are sort of this what I call a secret handshake type of code so in your direct action subclass you'd want to override default action and return login page instead of main that'll take you to the login page instead of whatever the main page is the second point there forces the system instead of like defaulting the component action handler when you initially access your app it'll use the direct action action handler which does not create a session unless you explicitly tell it to so the combination of those two things what you have a session with login so to a demo of that all right this is HTML so let's go to the policy editor here okay it's already HTML good all right so I'll go to this I've got various links here that do various things this is the private one so this one needs to be over SSL this is a going to require a login so I'll just do a log in here and fail try and successfully log in and they're in so just got a flag this is when I'm logged in and I'm also over secure mode so anyway that was that exciting demo so let's move on okay HTTP challenge panel now this sounds like it should be really easy to do and unfortunately it's tricky as hell there's a tech note in the info center that shows you how to do it and in order to make it work you're a low response object must admit certain statuses it has to also set a certain header and then you have to look for a certain kind of header when it comes in oh and you get all that working and it doesn't work because the web server using has an interface it doesn't actually pass the authorization header and then once you've got all that you think you're out of the woods you get this blob of basics before encoded muck that you have to like walk through so it can be a little tricky the first to get you started those are that's the status you need to set and the header you need to set on the outgoing response to at least force the panel to come up then you need to look for a hetero named authorization on the incoming will request and look at the content of that and CGI with Netscape at least does not pass that header other web servers at CGI may I'm not sure NS API definitely does and this demo is all happening on NS API they should be yes yeah in fact actually made them kind of wordy so you know you'd be able to maybe treat a mess or like a mini outline this is something that could be useful if you're decoding base64 data this is just part of the standard JDK the base64 decoder object and once you have a normal character string that you get from that you can parse the string and get the username and password out of it okay so I'll show that go to HTTP panel submits and I'll start a new session when I'm not logged in with and I'll go to the login required pops up this little panel and man now when that thing is kind of neat there's that this is this login technique it's using the exact same business logic actually do the login but you know is able to kind of on-the-fly change the whole way in which credentials were gathered they're using that little policy framework thing so anyway more on that later can you to move on I don't have one of those little things to throw at them okay logging in without a login panel cookies I've kind of done this once and regretted it because you do this should stick to username and password in the browser and then this guy who has administration capability decides all all accesses from someone else's computer and you just left your password in their computer so probably not a good idea plus I guess was recently it came out that if you're an enterprising website you can pretty much get anyone's cookies if they're using IE so maybe that's a feature now if you're going to log in without a login panel you could use digital certificates this is really the ultimate use of security although it does have a bit of baggage that comes with it it reverses the role of username and password by that I mean basically the SSL protocol proves that you are who you say you are and then you decide whether you have access as opposed to the other way around and obviously requires SSL to make that work okay now if you're in a web objects application if you get a digital certificate it's going to come in on a header called the client cert and once you've got that client cert it's encoded in this ace and one blob and base64 format now you could go and walk that in parse it yourself or could use some dot security x.509 and just use that collection of classes just create yourself an x.509 certificate of time and then you might want to a validated status in your code actually see if the certificate hasn't been revoked and the security kit includes a wrapper for a framework from a balla cert that wraps a such a type of status checker now there's one little sort of hang up in all this and use it with web objects well there's two ways you can grant access the digital certificates you can just leave it all of the web server and configure the web server to trust certain CAS and certain digital certificates issued by those CAS and just be done with it you know they pass that test they're in if not they don't get in but odds are you might just want to configure it with a CH you wish to trust let the certificate come into your application and then look at the contents of the security of the certificate who the person is whether from etc etc and then decide whether or not they get access and that sounds great except like the slide says the web objects adapters don't actually pass the serta long intact or they don't even pass it at all so the low security kit includes a some source code for CGI and in its API adapter in binary form is the binaries and the source that pass the certificate correctly and don't even leak so so this brings me to that second loophole just because you have an unexpired digital ID issued by a trusted CA does not mean that it's a good it could be revoked could be if you if your application just trusts a certificate like that it very analogous you going to like Target or whatever whipping up your credit card saying hey look credit card it's Visa okay give me $1,000 with stuff and they just did it like what you know it's amazing cards got a hologram it's good right now they're going to take it they're going to swipe it through some little device and check whether or not it's actually been stolen and as hot as hell so you probably ought to check the ID and there's two ways of doing that you can download a certificate revocation list from the certificate authority or you can contact a VA to to check the status of the certificate okay now I'm going to kind of get off into a little bit of lala land here I'm going to try and go through these kind of fest like you should probably skip them but I think it's important that some of this information is is known it wasn't really known to me six months ago so let me just kind of run through it the way this works with the user is that you know that user has if they have a certificate they've got a private key and they unlock that private key with with a passphrase and at first this struck me it's kind of bogus I mean we go to all this trouble to have the certificate if it doesn't believably encoded long ten thousand bit key and then I unlock it with fubar you know just something not right there so but unlike username and password scenario this passphrase is something you created it's not shared with anyone it's just and it never leaves your computer in theory it's something just between you in the computer and only you know it so it's not quite as bad but it's still a little a little weak and there's this other sort of downside to you've got this private key in a file so you pretty can't a username and password if you can remember it you can pretty much take it with you anywhere but now you have to sort of carry this document with you and you have to put it on a floppy if you want it to be portable so typically these things aren't portable they just sit on one machine and having things in files of a pretty extraordinarily lame way of establishing security so there's been some things that have been called smart cards that try to address this where you put all this information on a smart card a smart card has a CPU that does all the crypto on it the private key never leaves the card so the hacker would have to steal your card in order to impersonate you and there can be some smart cards that can get Tasha devices to accept your peste raised directly and for the truly paranoid that device can be a biometric so you know you could basically log into a website by sticking your smart card into a reader putting your thumb on it and then you're logged in so that's pretty good security unless someone cut your thumb off so getting another demo okay I'm going to close the IE here and come back into it because I want to I'm going to show you like the thing prompting for a digital certificate I'm just going to do a digital certificate login so go to the policy editor here and pick certificate and I'll go to something that requires a login and in this case my computer's not hooked up to the internet so I couldn't actually go out to check the status of the certificate well actually that was a I was actually that page is private let me change the policy on that page so it isn't private anymore see page to remove I think I would have had this set up before I came in here would chair okay okay good oh there we go so a panel pops up it asks for your certificate you pick the one you want I happen to have three I'm just going to pick this one and and go to at some insecure mode now now I'll go to the log-in required page says okay your certificate is not granted access and the user info that you can't read unfortunately says could not get status response validation results response status equals no so you might have your own policy for this you might just grant them all or you might do something else the point is I have a delegate hook that you call it passes in the certificate and you can do anything you want and in that hook to determine what you're going to do so okay going back to this okay now blocking access to your AB this can be a little tricky because someone might add a direct action it's actually possible to override page with name and like maybe have something that says well if this form values there we'll just go to this page I mean there's lots of different ways of coding things but maybe you wrote something in an after-the-fact someone added a direct action or added this sort of hack in there that I was meant to do something but sort of defeated your security policy but if you override a Pender response and that page is a component you can basically catch this sort of stuff to make sure that a certain test is always okay before you allow that page to be generated now that's for well that's for generating a component that does not cover invoking a direct action it's very hard to invoke the component action unless you have a session so if it's okay to see the hyperlink it's probably okay to execute it but it might not be okay to go to where that saying takes you maybe three of the four different pages it might take you to would be okay but the fourth one might require you to log in so that append your response check will handle that but if it's a direct action I mean someone can just type that in there then you need a page for that they can just type that right in their browser and go straight there so this is the choke point for handling that for generating pages it's appended response for handling direct actions it's this method perform action named asses in the name of the action you're about to fire then you know the full path to it like fubar slash action name and if you put some Guardian code in these two places you can pretty much protect things pretty well so this is sort of an example of what code like that might look like I've got the penned response I've got some hypothetical method called should deny page generation and if you shouldn't then you just call super and processes normal but if you should not if it's illegal for you to go there because you're not allowed me because you're not logged in I create a login page and set the content on it and I get the content by generated response on the login page there so there's a lot going on that line right there in the middle but that's one way of dynamically popping up a login panel if you're not allowed now to do on-demand login this is that thing I talked about where you aren't allowed access to something login panel pops up and then you just successfully pass the test and you just immediately go to the place that you want to go instead of having to read a great into all this other nonsense and the way I recommend doing that is when you create that login page set the name on the page don't create an instance of a component or a page and set the page on that because I've actually seen some some people doing that and I guess that's fine in most cases but there can be side effects and you generate a page if you're not allowed to go there even see it why should you even construct the thing that could be you might be doing something in a wake or in the constructor that you don't want to do so if you just pass the page name in most cases that's going to be lighter weight and more secure anyway so let's do that okay enough to change the policy here I'll go to panel and let's say login is required for this so I'm going to page three that's the page I want to go to and I'm in so now if I try to go back and access that again you know the panel doesn't come up because the session knows that I'm logged in so that's that now the security kit what I've got in this thing is a modified whoa adapters I talked about I included a security white paper in there which kind of goes into more detail my presentation does it's got this WX off policy framework which incorporates all the stuff you've been seeing me play around with here I've also got a framework that wraps some stuff from a company called I think it's CeeLo they're Swedish maybe it's C Lou or whatever but it's I made a plug in they took plug in that'll do a digital signature in your browser it's got a framework Trevon there's a balla cert framework that have wrapped there and created a java wrapper for it as well and then the demo app itself which uses all the above so the things that are in the off policy thing I've got the credential gathering that you've seen hooks for custom business logic I've got this notion of access posture for pages actions and privacy there's the SSL access toggling support in there just one method you have to call to do that little toggle between secure and insecure pages then there's the session las' login support and some other stuff and the easiest way to find out how to use it is just to take a look at the CF n dot app that I've created now unfortunately the only way I was able to really guarantee lockdown of the application was to force you to subclass your component session direct action and application from my abstract super classes so sorry about that but you know that's security for you it's constraining policy can be set in code or be a GUI component that component you saw there is part of the kit you can drop that on a page and control your policy interactively with that thing and you can get it at this link enterprise's Apple comm WWDC 2008 with the name of my accession like 409 I believe and then in that I've got two files one is just the soar our code stuff with all the frameworks and the other one is just this big honkin blob that has the freebies from Cee Lo and Bowser so let's do a demo this thing actually sort of seen part of it but anyway you kind of see how we got different resources here I've got a page which let me just sort of get a new session here okay I've got page one which you can access in any case it's always okay to access page one page two used to be private I'll go and make it private again actually I'll show you how this this works page two and okay okay I'll go actually go insecure I'm on a secure link so if I go if I come in over a secure link the thing detects that I did not access this page over SSL and goes whoa you're not supposed to see this unless this thing got encrypted so I'm not even going to Sunday I'm gonna send you this instead okay and you saw how I was able to like flip that on and off by just adding a page name to a list that's what I meant by an access posture so sort of go back to that policy editor so I've got these three access postures one is for page generation so I'm defaulting to denying all page generation with those exceptions page 1 page 2 policy editor page in main are ok you can see those without logging in I've got only one direct action that I'm allowing default action that's the action that gets called when when the page is initially created on session creation and then there's a should deny all pages not secured right now I'm allowing all pages to show up under non SSL except for those three pages right there and you know there's some other things going on here as well but I mean that's sort of the the main part of it so move on to the next thing this guy with the demo things I'm going to flip back influence probably getting pissed okay access control now this is the notion of ok they've gotten into your application now what did I just get like it to walk all over everything and everything they want but I think in my experience it's come down to answering two questions and it comes down to answer your yo s answering these questions given an instance of entity a can user B see it or and if so edit it and this access depends on the state of both of these things what kind of view is being edited and what you know what kind of users attempting to edit it this administrator maybe they get to if it's my mother Joe Schmoe maybe they can't and this is sort of what I would call the basic you know access control protocol of your EOS might and might implement can show and can edit getting passed in a user I assume everyone who has an eel model who has a commercial application is going to have a user entity so that's the thing that would get passed in here and this might be a sample hierarchy that you'd have at security oriented you have generic AO which would implement the default access policy you'd have secured do which would dictate certain schema because either euros that need to be secured as opposed to not shown so that might have to have certain relationships to other objects to work and then I've got product in that little diagram which is an example of a concrete AO so you never have an instance of a generic key or security you'd only have instances of a concrete subclass so this is a sample implementation of what generic EO might look like both returning true therefore your default access policies allow everyone to see and edit and then you have exceptions now for security EO this is just again a sample imitation and I assume that anything that inherits from security o that those entities have a 2 1 relationship to a user table called creator and it's got a too many relationship to a nut also to the user table called owners so if the user is equal to creator return true if the user Peston happens to be one of the people that owns the thing return true else return false and you can see I can edit policy says well if you can see it you can edit it now you can make this more elaborate but the beauty of about putting this in this abstract superclass called security o is that if you can you can have a pretty sophisticated policy that all of your enterprise objects implement in one place and the logic is in the EOS it's not in the top of the pages asking these questions deciding which you can see what you can't see it's down below all your pages have to do is know how to ask the question they don't have to implement the policy now if the policy gets more interesting you might use this thing called discretionary access control and if you did you want to add more relationships than the ones I had like creator owners groups permission and basically the submit how the UNIX file system works if you really anal like the Department of Defense you might have mandatory access control so you've got set of permissions you have these things called security levels and instead of groups you have this thing called compartments and in addition to just adjusting what you can see and edit it actually affects more than that it affects what you can do in terms of inserting information into the in this case a database so my example here is to actually implement Mac in web objects you'd have to take take advantage some delegates on the editing context so if certain compartments if you're a user if you're a secret user and you're editing things in the marketing department you cannot physically save or insert information into the accounting table that's unclassified for example which is totally opposite of what you think on UNIX I mean if you're the root user goddamn and you can write anywhere you want you know that's the whole thing about being rude but in this case you know if you are mr. super top secret you can't write anything except top secret so you're editing context delegate would make sure that before it actually allowed an insert to happen that you know certain relationships were set and if they weren't said it would really reject or raise an exception so getting to integrity this is the fourth section aspects of integrity are data corruption testing making sure something hasn't been tampered verifying the origin and it's implemented using digital signatures and public key cryptography and it's a key thing here is a digital signature and a digital signature is created by something called hashing a message that's just both baggage takes your message puts it into something fixed size and then you use this private key to encrypt that and that encrypted saying is a test to your message and that's a digital signature in 100 words or less okay non-repudiation this is this thing that is really great to have an e-commerce space where you can prove that that jackass actually bought the ten thousand dollar rocking chair okay so in the in the physical world you use ink signatures in a digital world to use digital signatures so business to consumer digital signatures this requires unfortunately some client-side stuff I think this is one reason this hasn't really taken off in the consumer space because you need all this stuff but the other clients require a browser plugin and example applications would be employee form processing a brokerage enrollment account paperless workflow and authorization now there is one development that's happened here they're American Express they don't know if everyone realizes it but you know these blue cards it's a smart card right now you seem to commercial them like twisting it and turning it and pulling it all the other well they don't tell anybody this is actually digital certificate on here it's issued by a company called Cybertron which used to be a division of GE and was bought by a/c a company called Baltimore out of Ireland and you really could do cryptography on your system if they ever get around to it so sort of interesting people don't even realize it but there is something getting out there so slowly I guess it's getting into the consumer space remind me not to leave that there okay so I'm going to do a demo here of I was going to originally make this whole like elaborate thing I was going to have all this graphics on here ended up with this ugly thing but I'm going to log in to this guy and actually this needs to be over SSL so let's go secure and go back to it okay so this is like the sort of business plan I had over talking a friend of mine at lunch I said you know why don't we have this like website that you access over SSL these are digital signatures and you digitally sign a confession and then someone in the Vatican responds to you okay so you did something really bad like I like sheep say you know and this is going to load a plugin which has the information about to sign I'm going to pick the certificate I'm going to use enter my past and sign and send this and this is basically what the server got it got the certificate I used to sign it and this thing at the bottom is just the basic ste 4 encoded assigned blob so you know I have proof that I agreed I wrote the statement and that I did what I did and so that you know that they know and they can they maybe send me an email saying well you know you're forgiven if you whatever now I bring this up because it does get to the point of who do you trust now I sent this to this website you know confession com website and I think you know I trust these guys they have the certificate it's issued what I didn't know is that they're a private key was compromised the other day by another company operated out of the Cayman Islands called extortion comm okay and they have this business of selling information to you for a profit so you know you have to check credentials or something like that could happen to you so anyway going back to the slides here okay a business to business digital signatures now this is instead of a consumer talking to your web objects application this is to web objects applications talking to each other directly or just to none with objects applications or are you talking to a non web objects application of them talking to you and an example this is basically any kind of a EDI message and the classic one among many is the purchase order so in web objects there's some infrastructure for this so that in forw direct actions can a great way of exposing api to your application on the web over port 80 over HTTP and and so forth and in 45 added a couple of things which makes it even easier it was very difficult in 402 open to basically encode talk to her mode web objects application now if you knew all about socket programming other stuff and you know programmers know about sockets but not everybody knows about sockets okay and and it is a bit cumbersome and stuff sometimes now it's very easy in four or five I mean you can create a request in code send it to remote website get a well response back in code and in do all that now the next question is what the contents you put into those things and the standard that's coming out is XML so you'll see some you know there's XML support and in four five four it's already easy to generate XML web objects is very good generating any kind of content but when you've got some from some other source like another web objects application or some other random entity you didn't really have anything to parse it and the IBM parser that's included you you know you can use to departs it in a meaningful data so just a simple quick b2b scenario here PEO is issued to widget Co by acne corporation it creates an XML document it signs it uses using Java Sun dot security package which includes a digital signature stuff you encrypt this information using widget goes public key so it's nice and private and you sent and you send it using the world message API and then on the other end widget code receives this Pio from acne they decrypt it with their private key they verify the digital signatures valid basically be doing the simple digital signature test they make sure the ID is valid I mean someone could issue a purchase order for ten million dollars of the video equipment and we're just going to take that you know you want some credentials or and that in the physical world you have a fax that signed but in the digital world you need to do this mathematically so you know you want to check the digital ID on that well I'll go to that anecdote and later create a digital receipt this is what you'd want widget code to do they can basically take all this information just tie it up in a bow right they've got your signed request they know that they agree to do it they get something called a digital timestamp and they wrap it all up in their digital signature and then they return this and maybe even store it and so now they have mathematical proof that you asked for this and that you agreed to it at this time so it's a pretty neat thing so in summary we've covered some cryptography a little primer and how it works and mainly some stuff on SSL and how to do that in a web Bob cheeks application a bunch of stuff on authentication techniques some stuff on access control and enterprise objects and then integrity of transactions using digital signatures and so forth so more information you seen is about a billion times who to contact Tony earnest and Q&A [Applause]