Diffie: Web Services Pose Tricky Security Challenge

"Now, I do most of my computing on a chip a couple of feet in front of me, or if I do it elsewhere, I know it," said Diffie, delivering a keynote at the NetSec 2004 computer security conference here. Most applications run on the user's desktop system or - if they run elsewhere - the user manually went to another site like Google or Amazon.com, Diffie said.

"I believe that within a decade, it will become true that a typical program, without human effort, will go out on the network and look for resources wherever they are avalable," Diffie said.

What kind of resources will programs look for? They could be secret algorithms, like Google's highly guarded search algorithms, or a great deal of computing power, or a great deal of proprietary information, such as the databases at Mead Data, which publishes the NexisLexis compilation of newspaper and magazine articles, Diffie said.

Negotiating agreements between the two computing entities will be part of the new security challenge presented by web serices, Diffie said. The agreements will closely resemble today's contracting and subcontracting arrangements. For example, today, when an engineering firm needs a new part built, they go to a machine shop, which agrees to take the design for the part, build only one prototype, deliver the prototype to the customer, then destroy the designs.

Web services will require similar contracts - only they must be negotiated in fractions of a second, not days, weeks, or months like they are today, Diffie said.

Configuration control is the other challenge of web services; where the remote computing resources demonstrate they can do the job. In today's contracting relationships, a potential contractor might provide references from the Better Business Bureau or satisfied customers; those sorts of mechanisms will need to be built into web services.

"These problems will dominate security over at least the working lifetime of old farts like me," said Diffie, who discovered public key cryptography in 1975. These will be the major problems for secure computing in the same way that encryption and secure operating systems dominated computer security in the 20th Century.

Diffie also said that client-server computing, for all its security flaws, represents a great advance in computer security.

"The least noticed security discovery of the late 20th Century, and certainly the most important outside ot cryptography, is client-server computing," Diffie said. A user looking to isolate sensitive information can encapsulate the information on a single computer and guard access to the computer.

In 1970, a user looking to start a secret project needed to get access to "the big computer that's down in the basement," and create a secure section on that computer, Diffie said.

"Everyone is so worried about network security that they fail to notice that networking has made some great contributions to security," Diffie said. "Now, if you have a secret project, you get a computer, you get a room, you put it in the room, you lock door. You get to decide how the computer communicates with the outside world. Do you carry disks in and out? Do you get a network encryption system?"

The NetSec conference is run by the Computer Security Institute, which is owned by United Business Media, which publishes Security Pipeline, where this article originally appeared.

This story courtesy of Internetweek.