Gateway Security Model
Ted Goldstein
Chief Java Commerce Officer
JavaSoft
Overview
Goals of Java Commerce
Java Wallet user model, business model
Review existing Java Security model
Extending Java Security with the Gateway Security Model
Goal: Electronic Commerce in our Lifetime
Make purchasing a seamless part of the the Internet
Charge for content and execution
Create an open platform for purchasing, banking, and finance
Client-side Platform for Commerce
Payment
- Credit Cards (SET)
- Microtransactions
- Smartcards
- Game tokens
- Frequent flyer miles
- Coupons
Customer Service
- Home banking
- Tax software
- Budgeting tools
- Accounting
- Approvals
- Investments
Requirements for a Trustable
(not Secure) foundation
- The user must be in control
- Transactions must be private, auditable & authentic
- Code should not perform unauthorized transactions
- Single unambiguous transaction authorization GUI
- Access to cryptography and persistent data storage
- Applications must cooperate safely according to contractually defined relationships
What else would you want?
Non requirements
Prevent user’s attacking their own system
Prevent compromise of the underlying OS system
Provide strong cryptography for
non-North American users
What alternatives?
Use tamper resistant hardware devices
Use an OS that can be secure
Get cryptography from other sources
Java Provides a Good Foundation for Commerce
Dynamically downloaded platform independent code
Write Once, Run anywhere (Smart Cards, W3.1, W95, W/NT, Mac, every UNIX, IBM MVS + many others)
Safe, easy, object-oriented language
APIs for Networking, Database access, Multimedia, CORBA, RMI,Servers, Security, Components(Beans) Telephony, Animation, System management, etc.
The Java Phenomena
250,000+ Java Developers, 120 books
85+ Licensees, 400+ Products, 600+ ISVs
40 Integrated Development Environments
Network Computer JavaStations
All in the last 24 Internet years (24 months)
Existing Java Applet Model
Applications embedded in a web page
Downloaded after the page is read
Sandbox Security Model
Applets of unknown origin are restricted from doing dangerous operations
Signed applets are allowed access to read & write to the disk, network
Integrity of Java language
Base assumptions
Development Integrity
Object Integrity
Code Integrity
Necessary assumptions
Necessary for today’s PC-based Environment
CPU does not have any security flaws
No viruses infect the operating system
Java thin client and Java chips will help
Increase trust, by decreasing dependencies
Towards a provable base
Development Integrity
No security through obscurity
Commitment to Excellence
Test and reviewed by best hackers and security experts
We pay in net.fame
Continuous improvement
Object Integrity is preserved
Java closes the loopholes
public, private, protected are checked
all load modules must agree
objects cannot be forged
access cannot be forged
no pointer manipulation
no unchecked casts, #defines
JECF provides APIs to meet the Requirements of Commerce
Trustable graphical user interface
Framework for
Web Merchant developers
Payment system developers
Financial Application developers
Consumer Centered
Wallet User Interface
Extension by Dynamic Cassette Installation
Framework
Architecture
Merchant Applet Layer
Shopping carts and Identity applets
Content, execution charging applets
Cassette Layer
- Payment protocols
- Service applications
Wallet Foundation Layer
- JDK + Wallet UI, Persistent database
- Security, cryptography
Security
Need a fine-grain model like
Capabilities
- Based on ANSA, C.mmp, CAP, System 38, Amoeba, KeyKos, Spring
- Possessing the object confers the right to use
- Java objects are already unforgeable
Gateway Security Model
- Gateway is an OO Pattern [GHJV 95]
- Uses digital signatures for authenticating access to individual Java objects
- Assists implementing contracts
Home Banking and
Tax Reporting application
Capabilities in Java
Gates are authentication methods
Permits are objects returned by the gate
Roles are a signature
Ticket is a use-once token of the capabilities
Using a Gate
Ticket me = MyTicketFactory.create();
try {
HomeBankingPermit permit = HomeBanking.open_for_tax_reporting(me);
} catch (RoleViolationException e) {
// error handling
...
}
Implementing a Gate
HomeBankingPermit open_for_tax_reporting(Ticket t)
throws RoleViolationException
{
if (MyHomeBankingPublicKey.stamp(t))
return new HomeBankingPermit();
else
throw new RoleViolationException();
}
Layers of Security in Java Commerce Framework
Integrity rules of the Java language
Byte code verification
Capability objects based on signed code
Password encrypted segmented database
Payment instrument security
The Law
JECF
Business Strategy
Launch with Java Wallet Plug-In
Embed in other Browsers, other Wallets, other Financial Applications
SDK (Java Commerce Tool kit) beta in April
FCS of Wallet and SDK June 30
More Information
Papers, Email and Contact Info:
http://java.sun.com/commerce
Partner Information
commerce@java.sun.com
Return to Tracks