5.5 Application layer security protocols

Previous page
Table of content
Next page

5.5    Application layer security protocols

In general, there are three approaches to provide security services at or above the application layer. First, the services can be integrated into each application protocol individually. Second, a generic security system can be built that provides the possibility to incorporate security services into arbitrary application programs. Third, it is possible to leave the application layer as it is and to provide security services above it. [17]

5.5.1     Security-enhanced application protocols

There are several application protocols that have been enhanced to provide integrated security services. For example, the Secure Shell (SSH) is a widely used and deployed protocol that serves as a secure replacement for terminal access and file transfer [61, 62]. DNS Security, or DNSSEC in short, refers to a set of security extensions and enhancements for DNS [63]. Furthermore, there are several cryptographic file systems that have been developed and proposed in the past. Examples include the Cryptographic File System (CFS) [64, 65] and the Andrew File System (AFS) [66].

With regard to Web security, the IETF chartered a Web Transaction Security (WTS) WG [18] in 1995. The goal of the WG was to ˜ ˜develop requirements and a specification for the provision of security services to Web transaction. The starting point was the specification of the Secure Hypertext Transfer Protocol (S-HTTP) that had been developed and was originally proposed by Eric Rescorla and Allan Schiffman on behalf of the CommerceNet consortium in the early 1990s. [19] S-HTTP version 1.0 was publicly released in June 1994 and distributed by the CommerceNet consortium. Since 1995, the S-HTTP specification has been further refined under the auspices of the IETF WTS WG. In August 1999, the S-HTTP was specified and released in an experimental RFC document [67] (complemented by other RFC documents). Due to the success and widespread deployment of SSL and TLS, S-HTTP and the IETF WTS WG silently disappeared.

5.5.2    Authentication and key distribution systems

In the 1990s, a considerable amount of work had been done to develop authentication and key distribution systems that can be used by arbitrary applications to incorporate security services. Examples include the following authentication and key distribution systems:

  • Kerberos, originally developed at MIT;

  • Network Security Program (NetSP), developed by IBM;

  • SPX, developed by DEC;

  • The Exponential Security System (TESS), designed and developed at the University of Karlsruhe.

In addition, there are several extensions to the basic Kerberos authentication system, such as those provided by Yaksha, SESAME (secure European system for applications in a multivendor environment), and the Distributed Computing Environment (DCE) developed by the Open Group. [20] In this section we are not going to describe and discuss the authentication and key distribution systems mentioned above. Instead we refer to [68]. Kerberos will be overviewed and discussed in Section 8.3, when we talk about Kerberos-based authentication and authorization infrastructures (AAIs).

The important thing to keep in mind is that an authentication and key distribution system is to provide an API that makes it simple to secure any application protocol. The API of choice is the Generic Security Services API (GSS API) as specified by the IETF Common Authentication Technology (CAT) WG. [21]

5.5.3    Layering security protocols above the application layer

In addition to security-enhanced application protocols and authentication and key distribution systems, it is possible to layer security protocols above the application layer (i.e., leave the application protocols as they are). In this case, one may use any given ( insecure ) application protocol and secure the stream of bits and bytes before it is submitted to the application.

There are basically two approaches that can be mentioned in this context: secure messaging (e.g., PGP or S/MIME as further addressed in [69]) and XML security as specified by the World Wide Web Consortium (W3C). In fact, the use of XML makes it possible to encrypt or digitally sign data segments (e.g., messages) in a standardized way before they are transmitted in computer networks or distributed systems. The corresponding specifications are known as XML Encryption and XML Digital Signatures . Because XML security is a very new and still transient topic, it is not further addressed in this book. Note, however, that the IETF XMLDSIG WG [22] has been asked ˜ ˜to develop an XML compliant syntax used for representing the signature of Web resources and portions of protocol messages (anything referenceable by a URI) and procedures for computing and verifying such signatures. In March 2001, the WG came up with a specification that has been submitted to the Internet standards track [70].

In April 2002, Microsoft Corporation, IBM Corporation, and VeriSign, Inc. jointly proposed an architecture and a road map to properly address security within a Web service environment. The specifications that are currently being developed build upon foundational technologies, such as SSL/TLS, SOAP, WSDL, XML Digital Signatures, and XML Encryption. As of this writing, the only specification that is available is the WS-Security specification. In short, it describes how to attach digital signature and encryption headers to SOAP messages. In addition, it describes how to attach security tokens, including binary security tokens such as X.509 certificates and Kerberos tickets, to messages. In addition to the WS-Security specification, there are many specifications in the queue. Examples include the WS-Policy, WS-Trust, WS-Privacy, WS-SecureConversation, WSFederation, and WS-Authorization specifications. You may refer to http://www-106.ibm.com/developerworks/library/ws-secmap for a corresponding overview.

[17] For a key agreement protocol based on public key cryptography, PFS ensures that a session key derived from a set of long- term public and private keys will not be compromised if one of the private keys is compromised in the future.

[18] In [1], the third approach is discussed in a separate chapter with the title ˜ ˜message security protocols.

[19] http://www.ietf.org/html. charters /wts-charter.html

[20] Launched in 1994 as a nonprofit organization, CommerceNet is dedicated to advancing electronic commerce on the Internet. Its almost 600 member companies and organizations seek solutions to technology issues, sponsor industry pilots, and foster market and business development. The CommerceNet consortium is available on-line at http://www.commerce.net .

[21] The Open Group was formed in early 1996 by the consolidation of two open-systems consortia, namely the Open Software Foundation (OSF) and the X/Open Company Ltd. The Open Group includes a large number of computer vendors , including IBM, DEC, and Microsoft.

[22] http://www.ietf.org/html.charters/cat-charter.html



Previous page
Table of content
Next page
Security Technologies for the World Wide Web
Security Technologies for the World Wide Web, Second Edition
ISBN: 1580533485
EAN: 2147483647
Year: 2003
Pages: 142
Authors: Rolf Oppliger
BUY ON AMAZON
Qshell for iSeries
A Practitioners Guide to Software Test Design
SQL Hacks
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
An Introduction to Design Patterns in C++ with Qt 4
File System Forensic Analysis
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy