Communication Security, Application Secuirty and Cryptography : Differences

From the beginning, I have seen people confusing (or mixing) Communication Security with application security though both have some totally different objectives to fulfill. And some people goes far extend and mixes cryptography also in the same box and tries to make an alloy of cryptographic goals with communication security goals.
But, I feel reality is different. Cryptography can be used as a technique to achieve cummunication security goals but not in a reverse way.
As I say, communication secuirty ensures any/all three of the following criteria while two entities are communicating (and ofcourse there is a threat that some unknown third party can listen to their communication) over some meduim.

  • End point or Entity authentication : which ensures both of the communicating entities are talking to ritght entity only.
  • Message integrity / Message authentication : this is always tricky. Which will ensure the message sent by one party will not fabricated on transit.
  • Message Confidentiality: A unknow or unintended receiver of a message, can not make any meaning of the message.

Now, if we consider about application security, it is about achieving some goals which comes from the design or from the natural behaviour of the application. For example, you are creating an email service you need user – authentication to their respective account. Now to edit user account you need authorization. So, application security has maily two component:

  • User authentication
  • User Authorization

Now, somebody can use cryptographic technique to provide strong user authentication and authorization.

A good design should alawys make the Communication security and the application security separate, as i feel. It makes easier for the developer and the security analyser’s life easier and also make the applocation more portable.
As i say, cryptography can be used to achieve mainly the communication security goals. Following is a example,:-

  1. Enpoint authentication : X.509 certificates and PKI
  2. Message Int : Some Secure Hash algorithm
  3. Confidentiality : AES

Using cryptography for application layer security, some people does it to sign authorization, which makes the application desgn more complex….

Next post, i will discuss on the available security mechanism at TCP layer.


Achieving Service Orientation through DSSP

As, I have discussed in my last post service orientation can be achieved via a message passing mechanisms (which should be known to service provider and consumer before they start with any operation), DSSP from Microsoft is one of them. DSSP defines a way to achieve service orientation design.
We can articulate the way, that DSSP offers service orientation, as follows:-

  1. DSSP defines a set of certain operations (GET, UPDATE, INSERT..), which a service designer need to implement to provide service. Now , what is a service in this context? Ans : For example, let us consider the “Printer” as a service. A printer offers following operations: “Print Document”, “Cancel Printing” and “Jobs”. So, we can have design this printer service using GET (shows printer JOBS), INSERT (print a document) and UPDATE (to cancel printing).
  2. DSSP does not define how the message structure would be, for your service. It is upto you to define it. Which makes DSSP suitable for variety of environments. So all the printer companies should come and decide the message structure for printing service so that they can become interoperable (a Hp printer is offloading his jobs to a Xerox printer).
  3. The standard DSSP operations are the only mechanisms to interact with a service for the Clients (A PC giving print order to the printer) as well as the Service (Xerox printer is offloading his job to HP Printer) Itself.

DSSP is another attempt to achieve a HTTP like protocol for Service Orientation. In my next post i will design a Printer Service using DSSP with Code samples and do the analysis. It is really getting interesting

Service Oriented Protocol Or Services Communication Protocol

After reading the article “Protocol independence in a service-oriented architecture” at Techrepublic, i got doubt what exactly it is talking about ? How can we achieve a protocol dence in Service oriented architechture? But after reading the SOA specification fro OASIS, i think that i understood it.
The main confusing part of SOA is the service communication protocol. A service communication protocol defines how different services are going to talk each other or a Client (actually Service consumer) is going request the service provider for service.
So a service communication protocol is not the transport-protocol as like the TCP/IP, rather it a interaction mechanism to interact with services. And the semantics of the protocol need to be specified before we implement services which can talk each other.
Again, Does the semantic SOA is trying to solve the “Pre -specified Meaning” limitation by introducing Ontology? I am trying to learn that.. 🙂
And, of course, A protocol which supports service communication and management should be termed as service oriented protocol as DSSP claimed by Microsoft.
And from the definition, it is now clear that how you transport the messages from one service to another is not at service communication protocol’s scope, but what does that message mean and how to react with a message is what it says.